E-Greetings ... Yes, they are pare of stormworm/peacom/peed.

Many of you may have already received email like this:

Hi. School mate has sent you a postcard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:

http ://127.0.0.1/? 5b23933165b19d3383b4c009ee64d82c3a9ebee

Or copy and paste it into your browser's "Location" box (where Internet
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Mail Delivery System,
hallmark.com

We've certainly noticed them hitting our email drops. The link points to ecard.exe, or another binary file. To date we've captured over 6,500 unique binaries related to this spam. (Full list available here.)

Once downloaded this bot will then make connections to other peers on the storm network. There are over 250 hard coded peers in the list, however many appear to be red herrings, so I will not post the list here until I can confirm each and every one.

Selected drones are turned into proxy spreaders. Which means they proxy a connection to the 'main' server (located at: 205.209.X.X).

I'm working with Shadowserver to get the binaries mass submitted to their anti-virus check service. A spot check of 15 random binaries yielded pretty much the same results:

AhnLab-V2, Authentium, Avast, AVG, ClamAV, eTrust-Vet, Ewido, FileAdvisor, F-Prot, F-Secure, McAfee, Norman, Panda, Symantec, TheHacker, VBA32, and VirusBuster were UNABLE to identify the binary at all.

Several other engines identified it as 'suspicious'. The most consistant results came from: (in order) Bitdefender, Nod32, Sophos, Kaspersky and Microsoft.

Please be extra careful clicking on links in email, even from trusted parties!

WinAntiSpyware2007

Many people are downloading this application after being duped by popup's that say the user is infected.
Once the application is downloaded, it runs a "spyware" scan which appears legitimate, however if you watch closely it flags things which don't actually exist. I ran this program on a new image of Windows XP Home . Before running the installer, this image had never been connected to the internet.


(DISOG Photo, Windows XP Home SP1)


This program doesn't appear to actually do anything malicious. Rather, it plays on the ignorance of users by confusing them into thinking they are infected.

For Spyware and Adware protection, we recommend Spybot S&D and LavaSoft's Ad-aware.

(b50add21bda401cc1d028241da0d6605) WinAntiVirusPro2007Install.exe infected: Trojan.Downloader.TY
Downloads: http://download.cdn. winsoftware.com/ files/WinAntiSpyware2007FreeSetup.exe (e0361f7ef2ea36257f9a894f8accb984)

Watch for connections to *.winsoftware.com. and *.winantispyware.com

PS, for those of you who still run as administrator.....

DISOG at Defcon -- its raining storm emails.

DISOG will be present at Defcon 15 in Las Vegas August 2nd through August 5th.
At least three people from DISOG will be there. We are trying to get our colleges from Shadowserver to join us as well.
We are not presenting this year, but will be happy to answer any botnet questions behind closed doors.
If you'll be there and would like to meet up with us, please send me an email!

--

The storm worm is gathering power for its next round of spam. Just a quick reminder not to click on links in email. I recently cleaned the system of a neighbor who had over 100 pieces of malicious code on her system, all related to Storm. She knew the computer was infected, because the code made her system so unstable it would crash after running for 30 seconds.
Prepare for another wild round soon!