Storm Worm Reappears With Another Love Message
After a break, the Storm worm criminals are again trying to exploit surfers' inquisitiveness for a fictitious love interest so that users can be made to download the malicious code. says the security-training provider, SANS Storm Institute, on June 2, 2008.
According to SAN's Security Expert, Donald Smith, a security researcher, DavidF, has detected a site that downloads the Storm worm while spammers were sending out the link to the site through their e-mails, as reported by ZDNet on June 3, 2008.
As is known, the Storm botnet, which consists of a large number of compromised PCs joined in a network, control about 1 Million to 5 Million computers, making it stronger that IBM's Blue Gene/L super computer. Appearing first time on January 19, 2007, the Storm worm got its name because the spam delivering the malware was sent out at the time of a biting winter cyclone in Europe.
The SANS researchers further reveal that the message in the spam reads, "Crazy in love with you' hxxp://220.127.116.11." However, they only discovered an Ir.gif, index.html and loveyou.exe. Index.html that entices visitors to execute loveyou.exe by asking who his lover was and that if he wished to know the name he should click either "run" or "open" included in the e-mail.
Loveyou.exe is a translation of the Storm worm and also called Troj/Dorf-AP and Trojan.Peacomm.D. Its spam campaign is an effort to trick surfers into downloading a backdoor program that downloads more malware from the Web. Hence, the security researchers are recommending that IT professionals block the IP address till the time it is cleaned.
Furthermore, the unidentified gang controlling the Storm botnet attempted a similar method in January 2008 in a campaign around the Valentine's Day. In that, according to Sophos, the group was employing a social-engineering tactic to dupe users into following a link embedded in a 'Valentine's Day' e-mail.
After that the Storm worm attacks started to decline, leading some computer security providers to declare that the Storm worm's influence was waning. But now again in May 2008, Symantec researchers discovered that several new domains hosting Storm worm were using fast-flux methods to hide their URLs.
Related article: Storm Worm Returns with Follow-Up Attack
» SPAMfighter News - 12-06-2008