Tuesday, July 01, 2008

July Storm Worm gives us some Love

The authors of the Storm Worm must have had some good success with their "love theme" for last month's Storm Propagation Spam, because they have decided to repeat the theme today.

Right about midnight the UAB Spam Data Mine began to receive spam messages for the new Storm Worm.

After being directed to a website that looks like this:

we followed the links on the site to receive some fresh malware. How fresh was it? The executables, which were named "winner.exe" and "mylove.exe" depending on whether you follow the banner ad or the text link, were uploaded to VirusTotal where we found these results:

At our initial scan, of 33 different AV engines, only FOUR of them knew this was a virus, and only two could label it correctly. (Currently we are up to EIGHT AV products properly identifying this as storm. My university machine, which runs McAfee Anti-Virus, does not detect it with a fresh signature update.)

We have seen a wide variety of subject lines in the spam so far . . .

All I need is You
Always on my mind
Can't forget You
Can't stay away from you
Crazy in love
Crazy in love with you
Deep in my heart
Deeply in love with you
Fallen for you
For you...Sweetheart!
Hate that I love you
Here in my heart
Hold you close
I give my heart to you
I knew I Loved You
I'll never stope loving you
I'll Never Find Someone Like You
I'll Still Love You More
I Love Being In Love With You
I love you so much!
In your arms
Just you and me
Lost In Love
Lost In Your Eyes
Love me tender, love me true
Lovin' You
Lucky to have you
Madly in love
Miss you with all my heart
Missing you
My heart belongs to you
My heart to yours
My heart was stolen
Not the same without you
Only Wanna Be With You
Somebody loves you
Stand by my side
Together forever
We belong together
With all my love
With you by mi side
You are always on my mind
You are in my heart
You are my world
You are the ONE
You feel up my senses
You have touched my heart
You make my world beautiful
You make my world special

The domain names which have been used so far are:


(Yes, we actually have spam samples for every one of these domains. For most we have MANY samples. That's what the Spam Data Mine does!)

All of these domains seem to be registered with Chinese Registrar "www.bizcn.com".

They use the nameservers (ns# as the prefix on each of these, ns, ns1, ns2, etc.):


and their own domain (ns1.wholoveguide.com, etc.)

The latter nameserver, verynicebank.com, was also used during the Beijing Earthquake version of the storm worm, described by f-secure. It served as the nameserver for "grupogaleria.cn", which was used in the attack described by F-Secure in their blog on June 19th. It also served as the nameserver for "nationwide2u.cn", although we are not yet sure of the purpose of that domain name.

We are actively seeking termination of the last few domains now (most are already down).

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.