Latest Storm Worm - eCards now uses HTML and fake URLs
The ever-changing Storm Worm (a.k.a., Nuwar, Zheltain) has been revamped from plain text to HTML This conversion process allowed the malicious authors to hide the dangerous numeric IP addresses and make it appear as a legitimate e-card site. The latest versions of most browsers (e.g., IE 7, Firefox 2, Opera 9, etc) allow users to "hover over" a URL and see the true address found in links (just be never to click without verfication).
The best practice is to avoid these messages completely, as hostile scripts could be embedded in future iterations of these massively spammed attacks. Clicking on the URL could automatically download and install some of the worst malware circulating in-the-wild. It is very difficult to detect and clean. Folks can save hours of aggravation and possible damage to their systems by being careful and thinking before they click. Finally, all users should keep their Anti-virus protection as up-to-date as possible to avoid these daily changing attacks.
‘Fun World’? Not Really–Part 2
Video - Storm Site
QUOTE: The Zhelatin/Storm Gang has been very busy lately. Their spamming tactics have changed from sending an attachment to sending a link that directs recipients to an IP Address. The HTML used by their sites is variable, and also differs depending on the browser.
EMAIL SAMPLES (with malicious content removed)
Subject: Someone sent you an Ecard
Date: Thu, 23 Aug 2007 23:22:53 -0400
(REMOVED) wants to send you a greeting from greet2k.com.
To get your message, click on this link:
greet2k.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)
Subject: You have an E-Card from...?
Date: Thu, 23 Aug 2007 14:11:32 -0700
Your Brother wants to send you a greeting from mycardmaker.com.
If you would like to read this greeting, follow this link:
mycardmaker.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)
Subject: A Digital Card from someone who cares.
Date: Thu, 23 Aug 2007 16:16:58 -0500
(REMOVED) is delivering you an Ecard from buzzle.com.
To view your card, follow this link:
buzzle.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)
Subject: This is a Card for you.
Your Neighbour asked us to send you this card from dgreetings.com.
To Enjoy your Ecard, follow this link:
dgreetings.com <<< (DANGEROUS FAKE URL REPLACES NUMERIC IP ADDRESS)