CME711 (Storm) using TOR rouse

This morning I woke up to the latest storm page...

<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\">
<html>
<head>
<title>Tor: anonymity online</title>
</head>
<body>
<table border=0 width=\"500\">
<tr><td><img src=\"img/tor1.gif\"></td><td><h2>Tor: anonymity online</h2></td></tr>
<tr><td colspan=\"2\">
<br>
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
<br><br>
Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves.<br><br>
<a href=\"tor.exe\"><img src=\"img/tor2.png\" border=0></a>
</td></tr>
</table>
</body>
</html>

The text is a word for word cut and paste from the official TOR website, tor.eff.org.

In summary, they're wagering more clicks by offering The Onion Router (TOR) Proxy. Of course the binary is the standard CME711 trojan, nothing so fancy. At least they could have included TOR in the download!

The files file.php, sony.exe and tor.exe are resolving while video.exe, setup.exe and labor.exe no longer resolve.

UPDATE: TrendMicro has a nice writeup on this too: http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/