Another "Storm" Wave ...

[AplusWebMaster]

Follow up post/thread from http://forums.spybot.info/showthread...9490#post99490 ...

- http://isc.sans.org/diary.html?storyid=3063
Last Updated: 2007-06-28 23:33:56 UTC...

- http://preview.tinyurl.com/2g58ud
June 28, 2007 (Computerworld)...

- http://www.us-cert.gov/current/#new_...ariant_spreads
June 29, 2007

--------------------------------------

- http://asert.arbornetworks.com/2007/...tcard-malware/
June 29, 2007 ~ "...Pretend you actually clicked the link. What would happen? You’d possibly get your machine recruited into the Peacomm spam botnet. This handy diagram* shows you what happens once you hit the website. There’s some obfuscated JavaScript on the page which builds a link to /123.htm, a malicious ANI file (MS07-017), and other exploits - QuickTime, WinZIP, and WebViewFolderIcon - all to cajole your computer into downloading files and launching them. There’s also a link to “/ecard.exe”, a downloader... If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe..."

(*Diagram shown at the URL above.)

[AplusWebMaster]

"...Variations:

Other subject lines used with this message include the following:

You've received a greeting card from a school-mate!
You've received a greeting ecard from a class mate!
You've received a greeting ecard from a neighbour!
You've received a greeting postcard from a partner!
You've received a greeting postcard from a worshipper!
You've received a postcard from a family member!
You've received a postcard from a neighbour!
You've received a postcard from a worshipper!
You've received an ecard from a colleague! ..."

- http://www.snopes.com/computer/virus/postcard.asp
Last updated: 1 July 2007

[AplusWebMaster]

Again:

Storm worm with 4th of July subject lines
- http://isc.sans.org/diary.html?storyid=3090
Last Updated: 2007-07-03 19:48:30 UTC ...(Version: 2) ~ "We've been receiving numerous mails from readers reporting new subject lines being featured by the Storm Worm. Below is a brief overview of those gathered so far...

Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th ."

[AplusWebMaster]

More:

- http://www.f-secure.com/weblog/archi....html#00001224
July 4, 2007 ~ "...Using an IP address and not a domain name is a pretty good sign that you shouldn't click on the link... They work exactly the same way as the other greeting cards and the ones we've seen have all been using IP addresses for the clickable link. Again, stay away from them... What's great is that the security community is actively trying to get these sites shut down but the bad guys just keep on changing the IP address in the new mails. In addition, they keep changing the files that are being downloaded..."

(Screenshots available at the URL above.)


.

[AplusWebMaster]

FYI...

The ever morphing Storm
- http://isc.sans.org/diary.html?storyid=3117
Last Updated: 2007-07-09 03:01:00 UTC - "Readers has been reporting emails with subjects such as:
* Spyware Detected!
* Malware Alert!
* Virus Detected!
The Storm virus from the last week or so (greeting cards) has morphed into this new version. Nothing new, the texts has changed somewhat and the subject line is different. By en large it is still the same attempt to get people to download an exe file. Auscert* has put out an alert on this as there have been an increase of these messages in the region.
As per usual discourage users from blindly clicking links in emails. Educate them on your corporate AV and AS practices so they will know that the message is not legit and even if you do block all these messages maybe raise awareness with staff so they don't fall for these types of messages at home. Blocking downloads of exe files is also a good start..."

* http://www.auscert.org.au/render.html?it=7813

.

[AplusWebMaster]

More...

Fake alert emails
- http://www.f-secure.com/weblog/archi....html#00001226
July 9, 2007 - "The same gang that has been sending out malicious links in e-mail messages appearing to be greeting cards or 4th of July greetings have now added a new look and feel to their e-mail. Now they might also look like malware, trojan, or spyware alerts from a Customer Support Center and the e-mail speaks about abnormal activity that has been seen from your IP address. All you supposedly have to do is to click on the link and run the file to fix it or else your account will get blocked. Needless to say the downloaded file is malicious. Again the file is downloaded using an IP address and not a DNS name but his time around they've tried to disguise themselves with a text hyperlink. We detect the downloaded file as Packed.Win32.Tibs.ab."
(Screenshot available at the URL above.)

New fake patch malicious code run
- http://www.websense.com/securitylabs...hp?AlertID=786
July 09, 2007

.