Beginning around noon on March 31st, UAB's Spam Data Mine began receiving email containing a familiar pattern - a holiday related subject line, with an IP number as the URL to a website the spammer wished us to visit.
Subject lines we've seen so far include:
- All Fools' Day
- Gotcha! April Fool!
- Happy April Fool's Day.
- I am a Fool for your Love
- Surprise! The joke's on you.
- Today's Joke!
- Wise Men Have Learned More from Fools...
The email bodies are just a single phrase followed by a link to a malware website:
- All Fools' Day (link)
- Doh! All's Fool. (link)
- Happy April Fool's Day. (link)
- Happy April Fools! (link)
- I am a Fool for your Love (link)
- Join the Laugh-A-Lot! (link)
- Surprise! The joke's on you. (link)
- Gotcha! April Fool!
- Happy April Fool's Day.
Some of the spammed servers are actually still hosting a previous version of the malware, called "e-card.exe", which has been detected since March 11th. (Although there are still 13 AV companies, according to "VirusTotal.com", including Symantec, which do not detect this old version as a virus.
While some of the servers are offering an old "e-card.exe" version, most have changed to look like this:
The new executable names are "foolsday.exe" and "kickme.exe". Both are the same file, which as of this writing is 139,776 bytes in size, and has an MD5 value of:
7bc0344370ce5e6dd6e1a99e8ce347e0
I was the first to upload the new version of the virus to VirusTotal (or at least it did not say "this file has previously been analyzed", as it does when you are not the first.) At this time, coverage is very spotty. For instance, AVG, ClamAV, F-Prot, McAfee, Microsoft, NOD32, Panda, Symantec, and Sophos all say "No virus found". In fact, of the 32 antivirus products checked by VirusTotal, only 5 named this as a virus, and three of those based this on the fact that it was a "Packed Executable".
UAB researchers have found the same "FoolsDay" version of the malware on more than a dozen servers so far, and, as is usual for storm, most of these are cable modem attached PCs belonging to Americans. Sites in cities like Los Angeles, Miami were prevalent, while we did see one site in Russia (79.164.169.26), and one in Turkey (78.166.30.169) so far.
What happened to Easter?
Several people in the AV community have been wondering, "What happened to Easter?" One theory is that our criminals are Christian on some level and decided not to use the resurrection of Christ to spread viruses. The other theory (which I prefer) is that Russian Orthodox Easter isn't until April 14th, and the virus writers got caught sleeping, not remembering that we in the West don't celebrate Easter when they do.