Posted on Monday, February 11th, 2008 | Bookmark on del.icio.us
New Storm Valentine’s Day Campaign
by Jose NazarioWhile we saw the Valentine’s day campaign start in January, it’s morphed. This time using the following approaches (some old, some new)
- raw IP addresses in the spam lures
- the filename is now “valentine.exe”, using a redirect and a clickable link
- much more simple HTML websites
- subjects include “Blind Love”, “Just You” and other warm fuzzy subjects
- rapidly changing MD5 hashes
- poor AV detection
Dropped files, the peerlist (an INI file) and a driver … here’s the filename scheme this time:
C:\WINDOWS\system32\diperto.ini
C:\WINDOWS\system32\diperto7701-7a5c.sys
It will use this to create and start a service:
Create Service - Name: (diperto7701-7a5c) Display Name: (diperto7701-7a5c) File Name: (C:\WINDOWS\system32\diperto7701-7a5c.sys) Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (diperto7701-7a5c) Display Name: () File Name: () Control: () Start Type: ()
And all the same good old Stormy stuff. Poor AV detection (via VirusTotal), but humans can spot this a mile away.
A timeline of the history of the Storm trojan over the past year is at http://www.spamtrackers.eu/wiki
Also depicted are the images used by Storm including the current eight.