Stormworms spammy love notes
We received several reports of spam containing Subject lines such as: “Sweetest Things Aren’t Things!, Valentine’s Day, The Love Train” and other similar subject lines. These all included a URL that just an IP Address. Those URLs lead to binaries named valentine.exe. The MD5 on the binaries is changing rapidly so AV detection based on MD5 or other hash values is not reliable.
We submitted one version to virustotal. 12/31 of the av engines there recognized it. Valentine.exe is a new version of storm worm. Thanks to contributors Doug, Colin, Susan.
Update: The URLs are now being hosted on fast flux style hosting. Domains seen so far include destroythemoon.com and moonstarfood.com. Subject lines now also include "I Love You, Rockin' Valentine, You Stay in My Heart, My Heart For You, A hearty WIsh, and Thinking of U All Day". I am sure we will see other subject lines.
Jose Nazario of Arbornetworks has some additional about this at: http://asert.arbornetworks.com/2008/02/new-storm-valentines-day-campaign/
File valentine.exe received on 02.12.2008 17:28:57 (CET)
Antivirus | Version | Last Update | Result |
---|---|---|---|
AntiVir | 7.6.0.65 | 2008.02.12 | Worm/Zhelatin.pb |
BitDefender | 7.2 | 2008.02.12 | Trojan.Peed.IWX |
DrWeb | 4.44.0.09170 | 2008.02.12 | Trojan.Packed.357 |
eSafe | 7.0.15.0 | 2008.02.11 | Suspicious File |
Kaspersky | 7.0.0.125 | 2008.02.12 | Packed.Win32.Tibs.ic |
Microsoft | 1.3204 | 2008.02.12 | TrojanDropper:Win32/Nuwar.gen!B |
NOD32v2 | 2868 | 2008.02.12 | probably a variant of Win32/Nuwar.Gen |
Prevx1 | V2 | 2008.02.12 | Stormy:All Strains-All Variants |
Sophos | 4.26.0 | 2008.02.12 | W32/Dorf-AW |
Symantec | 10 | 2008.02.12 | Trojan.Peacomm |
VirusBuster | 4.3.26:9 | 2008.02.12 | Trojan.DR.Tibs.Gen!Pac.142 |
Webwasher-Gateway | 6.6.2 | 2008.02.12 | Worm.Zhelatin.pb |
Additional information:
File size | 119296 bytes |
MD5 | 4e6951fffca1e210e4b9bb24e708b74f |
SHA1 | a7a8a9796146cd77c287a8d82958ff5456fa8d24 |
PEiD | MinGW GCC 3.x |
Prevx info | http://info.prevx.com/aboutprogramtext.asp?PX5=471C3E5C00B5389FD25A012AD815B300221371E2 |
Comments