Friday, July 04, 2008

Storm - Fourth of July run

Stormworm (aka CME711/Peed/Peacomm), has recently modified their spam run to play on US Independence Day - July 4th.

The site offers fireworks.exe, and forces a binary download using some malicious javascript. Users should be cautioned to watch for pages that look similar to this:




Instead of the typical "you need to download the codec to play this video", the storm authors have decided to show some pretty colors on the screen, which may actually trick more users into downloading the malicious file. Hopefully many people in the US will be watching the real fireworks displays and this run will fizzle out.

An example email:

Received: from [133.230.190.105] (helo=ngr)
by izqfx with smtp (Exim 4.62 (FreeBSD))
id 1KEaiJ-0005Pc-6y; Fri, 4 Jul 2008 09:07:55 +0700
Message-ID: <486d8556.6010007@libertytax.com>
Date: Fri, 4 Jul 2008 09:05:10 +0700
From:
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
Received: from [133.230.190.105] (helo=ngr)
by izqfx with smtp (Exim 4.62 (FreeBSD))
id 1KEaiJ-0005Pc-6y; Fri, 4 Jul 2008 09:07:55 +0700
Message-ID: <486d8556.6010007@libertytax.com>
Date: Fri, 4 Jul 2008 09:05:10 +0700
From:
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: [redacted]
Subject: Celebrate the spirit of America
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Celebrations have already begun http://68[dot]72[dot]110[dot]46/

Subject: Celebrate the spirit of America
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Celebrations have already begun http://68[dot]72[dot]110[dot]46/

(. replaced with [dot] in the url for accidental click protection)

Fireworks.exe drops the peers list in C:\WINDOWS\msserv.config and the binary to C:\WINDOWS\msserv.exe. It also sets the NTP server to time.windows.com and time.nist.gov. If you use another time server, and suspect an infection - check HKLM/​System/​CurrentControlSet/​Services/​W32Time/​Parameters.

Additional information can be found at http://garwarner.blogspot.com/2008/07/storm-worm-salutes-our-nation-on-4th.html

Labels: , , , , ,

posted by Nicholas at 05:10

0 Comments:

Post a Comment

<< Home