Posted on Monday, February 11th, 2008 | Bookmark on del.icio.us

New Storm Valentine’s Day Campaign

by Jose Nazario

While we saw the Valentine’s day campaign start in January, it’s morphed. This time using the following approaches (some old, some new)

  • raw IP addresses in the spam lures
  • the filename is now “valentine.exe”, using a redirect and a clickable link
  • much more simple HTML websites
  • subjects include “Blind Love”, “Just You” and other warm fuzzy subjects
  • rapidly changing MD5 hashes
  • poor AV detection

Dropped files, the peerlist (an INI file) and a driver … here’s the filename scheme this time:

C:\WINDOWS\system32\diperto.ini
C:\WINDOWS\system32\diperto7701-7a5c.sys

It will use this to create and start a service:

Create Service - Name: (diperto7701-7a5c) Display Name: (diperto7701-7a5c) File Name: (C:\WINDOWS\system32\diperto7701-7a5c.sys) Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (diperto7701-7a5c) Display Name: () File Name: () Control: () Start Type: ()

And all the same good old Stormy stuff. Poor AV detection (via VirusTotal), but humans can spot this a mile away.

This entry was posted on Monday, February 11th, 2008 at 11:24 pm and is filed under Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses | Add your own



Comment Post by: Mark — February 13th, 2008 @ 6:07 am EST  Reply

A timeline of the history of the Storm trojan over the past year is at http://www.spamtrackers.eu/wiki

Also depicted are the images used by Storm including the current eight.

Comment Post by: Aa'ed Alqarta — February 19th, 2008 @ 1:38 pm EST  Reply

A basic analysis of one sample i captured in my Gmail box:

http://extremesecurity.blogspot.com/2008/02/happy-valentines-day.html

this valentine.exe is still loose in the wild.

Leave a Comment