Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Thursday, 3 July 2008

Storm Worm Salutes Our Nation on the 4th!

Posted on 15:29 by Unknown
I had just left for my holiday weekend when one of our UAB Computer & Information Sciences students
called to let me know he thought he had a new Storm version on his hands.

He had received an email wishing him a happy Fourth of July, followed by an IP address, which he recognized as a traditional Storm-style email.

I ran a quick check in the UAB Spam Data Mine, and here is what we had so far (the oldest of these is around 90 minutes ago, so we'll have a fuller picture tomorrow I'm sure.)

Subjects
=================
Amazing firework 2008
America the Beautiful
American Independence Day
Bright and joyful Fourth of July
Celebrate Independence
Celebrating Fourth of July
Celebrating the Glory of our Nation
Celebrating the spirit of our Country
Celebrations have already begun
Fabulous Independence Day firework
God bless America
Happy Birthday, America!
Happy Independence Day
Happy Independence Day!!
Independence Day firework broke all records *
Spectacular fireworks show
Stars and Strips forever
The best of 4th of July Salute
Time for Fireworks
Wish your friends a happy Independence Day


Bodies
=================
Amazing Independence Day show
America the Beautiful
Celebrating the Glory of our Nation
God bless America
Sparkling Celebration of Independence Day
Stars and Strips forever
Super 4th!
The best firework you've ever seen

IP Addresses
=================
4.248.91.239
12.173.3.17
24.13.166.252
24.130.139.182
24.249.135.214
24.33.244.139
24.99.230.65
64.252.164.229
65.185.105.8
65.185.32.14
67.176.18.50
67.185.246.151
67.191.111.202
67.36.178.103
67.38.31.104
68.179.134.99
68.62.190.121
69.0.75.77
69.141.230.19
69.225.5.209
216.137.135.74
216.255.59.26




The website, which seems to invite visitors to play a fireworks video,
actually downloads the Storm malware in the form
of an executable called "fireworks.exe".



Detection is fairly good already, with 16 of 28 AV engines detecting at
VirusTotal.com, with each calling it the various well known names for Storm:

Dorf:
Sophos = "Troj/Dorf-BP"

Nuwar:
AVG = I-Worm/Nuwar.U
McAfee = W32/Nuwar@MM
Microsoft = Backdoor:Win32/Nuwar.gen!D
NOD32v2 = Win32/Nuwar.DC

Peacomm:
Symantec = Trojan.Peacomm.D

Peed:
BitDefender = Trojan.Peed.JLV

Tibs:
VirusBuster = Trojan.Tibs.AMZ

Zhelatin:
AntiVir = WORM/Zhelatin.Gen
GData = Email-Worm.Win32.Zhelatin.add
Kaspersky = Email-Worm.Win32.Zhelatin.add
Webwasher = Worm.Zhelatin.Gen


Because this is a holiday weekend, there may be quite a few people who don't get blocking in place right away.

Best of luck to you all, and to those who are fortunate enough to live in the United States of America, Happy Independence Day!
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ▼  July (12)
      • FBI & Facebook: Storm Worm gets it all wrong!
      • To Understand the War on Terror: Read This
      • Top News in Spam = Old News
      • Two Spammers Doing Time and One That Got Away
      • Amero to Replace Dollar? Could Storm Worm Be Right?
      • News Headlines Still Out of Control
      • Russian Cybercrooks, CoreFlood, and the Amazing Jo...
      • 22 More Romanians meet The Long Arm of the Law
      • Nuwar Looks for News Readers?
      • Storm Worm Salutes Our Nation on the 4th!
      • 7-11 ATM Hackers (?) - More details
      • July Storm Worm gives us some Love
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile