New Storm Valentine’s Day Campaign

By: Jose -

While we saw the Valentine’s day campaign start in January, it’s morphed. This time using the following approaches (some old, some new)

  • raw IP addresses in the spam lures
  • the filename is now “valentine.exe”, using a redirect and a clickable link
  • much more simple HTML websites
  • subjects include “Blind Love”, “Just You” and other warm fuzzy subjects
  • rapidly changing MD5 hashes
  • poor AV detection

Dropped files, the peerlist (an INI file) and a driver … here’s the filename scheme this time:

C:WINDOWSsystem32diperto.ini
C:WINDOWSsystem32diperto7701-7a5c.sys

It will use this to create and start a service:

Create Service - Name: (diperto7701-7a5c) Display Name: (diperto7701-7a5c) File Name: (C:WINDOWSsystem32diperto7701-7a5c.sys) Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (diperto7701-7a5c) Display Name: () File Name: () Control: () Start Type: ()

And all the same good old Stormy stuff. Poor AV detection (via VirusTotal), but humans can spot this a mile away.

Comments

  1. A timeline of the history of the Storm trojan over the past year is at http://www.spamtrackers.eu/wiki

    Also depicted are the images used by Storm including the current eight.

  2. A basic analysis of one sample i captured in my Gmail box:

    http://extremesecurity.blogspot.com/2008/02/happy-valentines-day.html

    this valentine.exe is still loose in the wild.