Latest Storm Worm - eCards now uses HTML and fake URLs - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Latest Storm Worm - eCards now uses HTML and fake URLs

Lightning The ever-changing Storm Worm (a.k.a., Nuwar, Zheltain) has been revamped from plain text to HTML This conversion process allowed the malicious authors to hide the dangerous numeric IP addresses and make it appear as a legitimate e-card site. The latest versions of most browsers (e.g., IE 7, Firefox 2, Opera 9, etc) allow users to "hover over" a URL and see the true address found in links (just be never to click without verfication).

The best practice is to avoid these messages completely, as hostile scripts could be embedded in future iterations of these massively spammed attacks. Clicking on the URL could automatically download and install some of the worst malware circulating in-the-wild. It is very difficult to detect and clean. Folks can save hours of aggravation and possible damage to their systems by being careful and thinking before they click. Finally, all users should keep their Anti-virus protection as up-to-date as possible to avoid these daily changing attacks.

‘Fun World’? Not Really–Part 2
http://www.avertlabs.com/research/blog/index.php/2007/08/22/fun-world-not-really-part-2/

QUOTE: Today Nuwar/Zhelatin spammed out several thousand mails, which are very similar to those we saw yesterday. Although the spam template did not change at all, the format of the mail changed. It changed to HTML instead of plain text, but it does not contain any active content such as JavaScript or ActiveX. Compared with the last spam wave, the IP address is no longer visible. Users might have learned not to click on http://xx.xx.xx.xx/ IP addresses in spam mails, and now they need to get educated again.

Video - Storm Site
http://www.f-secure.com/weblog/archives/archive-082007.html#00001257

QUOTE: The Zhelatin/Storm Gang has been very busy lately. Their spamming tactics have changed from sending an attachment to sending a link that directs recipients to an IP Address. The HTML used by their sites is variable, and also differs depending on the browser.

EMAIL SAMPLES (with malicious content removed)
==================================

To: Harry
Subject: Someone sent you an Ecard
From: (REMOVED)
Date: Thu, 23 Aug 2007 23:22:53 -0400

(REMOVED) wants to send you a greeting from greet2k.com.

To get your message, click on this link:
greet2k.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)

Greetings,
greet2k.com

==================================

To: Harry
Subject: You have an E-Card from...?
From:
Date: Thu, 23 Aug 2007 14:11:32 -0700

Your Brother wants to send you a greeting from mycardmaker.com.

If you would like to read this greeting, follow this link:
mycardmaker.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)

Greetings,
mycardmaker.com

==================================

To: Harry
Subject: A Digital Card from someone who cares.
From: (REMOVED)
Date: Thu, 23 Aug 2007 16:16:58 -0500

(REMOVED) is delivering you an Ecard from buzzle.com.

To view your card, follow this link:
buzzle.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)

Greetings,
buzzle.com

==================================

To: Harry
Subject: This is a Card for you.
From: (REMOVED)

Your Neighbour asked us to send you this card from dgreetings.com.

To Enjoy your Ecard, follow this link:
dgreetings.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)

Sincerly,
dgreetings.com

==================================

Posted: Aug 24 2007, 02:36 PM by Harry Waldron | with 3 comment(s)

Comments

Jeff said:

The wife bit on this one.

What this did was stop the PC from booting and dusted the restore. To get rid of it I started the PC in safemode, ran ad-aware, which got rid of it a bit, not all. I was able then to normally start the PC. I found another spyware app, cannot remember the name. I ran that and it did eliminate this worm.

Jeff

# August 24, 2007 12:30 PM

Kerry said:

yep, saw this one and KNEW this had to be worse than it appeared. My inate senses seem to be treu. I logged into wife's email and sho 'enof, there it was in some form again.

NEVER, EVER click on an unsolicited email unless you know the sender, and that is still dangerous! I have had family members infect me with a latest virus that CA didn't pickup on yet.

Get a GOOD AV prgm, learn to set it up, use it, update even hourly! (Or before opening emails and never ever go to a website a friend includes within a joke. Remember - no one is running a site for free. If not infected cookies and .com files want to track everything you do.

# August 26, 2007 1:37 PM

Tracy Esau said:

it was fun and informative simultaneously reading the blogs and the comments present on this site

# April 10, 2008 3:09 AM

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.