Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

New Storm Worm - Features dangerous animated e-card links

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts
View previous topic :: View next topic  
Author Message
harrywaldron
Junior Member


Joined: 24 Jul 2007
Last Visit: 09 Apr 2009
Posts: 43
Location: Roanoke, Virginia

PostPosted: Wed Aug 15, 2007 5:10 am    Post subject: New Storm Worm - Features dangerous animated e-card links Reply with quote

Below are recent samples (with all URLs made safer) of email that should be deleted. The numerical links found in these messages may trigger an AUTOMATIC download and install of a very malicious copy of the Nuwar worm. This family of viruses is among the most advanced malware circulating using rootkit, botnet, polymorphism, and other techniques.

AV Protection may or may not be available for these new leading edge variants. It's always advisable to never click on URLs or attachments whenever possible in email messages - even in those which may appear to be safe.

New Storm Worm - Features dangerous animated e-card links
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=792


Recent examples from my in-box

==========================================

Code:
From: *********
To: Harry
Subject: Movie-quality e-card
Date: Mon, 13 Aug 2007 10:27:08 -0400

Mother() has created Movie-quality e-card for you at perfectgreetings.com.

To see your custom Movie-quality e-card, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?bd9a4815755ec21d93815f9518b32f6c9fb697

Send a FREE greeting card from perfectgreetings.com whenever you want by visiting us at: hxxp://perfectgreetings.com/

This service is provided and hosted by perfectgreetings.com.



==========================================


Code:
From: *********
To: Harry
Subject: Animated postcard
Date: Tue, 14 Aug 2007 12:40:40 +0200

School-mate() has created Animated postcard for you at greetingsisland.com.

To see your custom Animated postcard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?23407b969d2b1d96eb463c6da46ca

Send a FREE greeting card from greetingsisland.com whenever you want by visiting us at: hxxp://greetingsisland.com/

This service is provided and hosted by greetingsisland.com




==========================================


Code:
From: *********
To: Harry
Subject: Greeting ecard
Date: Tue, 14 Aug 2007 02:53:35 -0400

Uncle() has created Greeting ecard for you at hallmark.com.

To see your custom Greeting ecard, simply click on the following Internet address (if your mail program doesn't support this feature you will need to COPY and PASTE the address into your browser's address box):

hxxp://[URL REMOVED - DANGEROUS numeric IP address]/?42a6de1712445fd9c2b5

Send a FREE greeting card from hallmark.com whenever you want by visiting us at: hxxp://hallmark.com/

This service is provided and hosted by hallmark.com.
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 27 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Wed Aug 15, 2007 9:07 am    Post subject: Reply with quote

I've received a number of these. Different anti-virus vendors detect them by different names. Kaspersky detects them as Email-Worm.Win32.Zhelatin.gg (or possibly 2 other letters at the end of the name). McAfee calls them w32/Nuwar@MM. Here's a VirusTotal scan of one of the samples I got yesterday.

File msdataaccess.exe received on 08.15.2007 18:44:59 (CET)

Result: 25/31 (80.65%)

Antivirus Version Last Update Result
AhnLab-V3 2007.8.15.0 2007.08.14 -
AntiVir 7.4.1.62 2007.08.15 WORM/Zhelatin.Gen
Authentium 4.93.8 2007.08.15 Possibly a new variant of W32/Fathom.1-based!Maximus
Avast 4.7.1029.0 2007.08.13 Win32:Tibs-BDA
AVG 7.5.0.476 2007.08.14 Downloader.Tibs.6.AP
BitDefender 7.2 2007.08.15 DeepScan:Generic.Malware.FMPH@mmign.D3F57BB1
CAT-QuickHeal 9.00 2007.08.14 I-Worm.Zhelatine.di
ClamAV 0.91 2007.08.15 Trojan.Small-3263
DrWeb 4.33 2007.08.15 Trojan.Packed.142
eSafe 7.0.15.0 2007.08.10 Suspicious Trojan/Worm
eTrust-Vet 31.1.5061 2007.08.15 Win32/Sintun.AC
Ewido 4.0 2007.08.15 -
FileAdvisor 1 2007.08.15 -
Fortinet 2.91.0.0 2007.08.15 W32/Tibs.GG!tr
F-Prot 4.3.2.48 2007.08.14 W32/Fathom.1-based!Maximus
F-Secure 6.70.13030.0 2007.08.15 Email-Worm.Win32.Zhelatin.gg
Ikarus T3.1.1.12 2007.08.15 Email-Worm.Win32.Zhelatin.gg
Kaspersky 4.0.2.24 2007.08.15 Email-Worm.Win32.Zhelatin.gg
McAfee 5098 2007.08.15 Downloader-ASH.gen.a
Microsoft 1.2704 2007.08.15 Worm:Win32/Nuwar.WQ
NOD32v2 2464 2007.08.15 Win32/Nuwar.Gen
Norman 5.80.02 2007.08.15 W32/Tibs.ANVM
Panda 9.0.0.4 2007.08.14 -
Rising 19.36.22.00 2007.08.15 Trojan.DL.Win32.Agent.xhu
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.14 VIPRE.Suspicious
Symantec 10 2007.08.15 Trojan.Packed.13
TheHacker 6.1.8.168 2007.08.14 W32/Zhelatin.gen-otro
VBA32 3.12.2.2 2007.08.14 -
VirusBuster 4.3.26:9 2007.08.15 Trojan.Tibs.Gen!Pac.132
Webwasher-Gateway

This particular sample is well detected, but many are not.

Also, some of the emails only have the IP address with nothing after it, for example:

http://130.13.xxx.xxx

There's also a html file with exploit code, typically detected by Kaspersky as Trojan-Downloader.JS.Agent.kd

Keep your anti-virus definitions updated!! And don't click on the links of course.

We have some HijackThis logs here of Storm Worm victims. Also, Storm Worm is mostly a media name. The AVs use different names.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
tripkill201
Warrior


Joined: 24 Jun 2007
Last Visit: 23 Feb 2008
Posts: 175
Location: Approximately 2.3698 billion light years away.

PostPosted: Wed Aug 15, 2007 10:15 am    Post subject: Reply with quote

Thanks for the info! I got 5 of those e-mails in my Bulk folder today! Phew, good thing I read this before I signed in to my e-mail. Smile
_________________


The stakes are immense, the task colossal, the time is short. But we may hope ó we must hope ó that manís own creation, manís own genius, will not destroy him. -Albert Einstein
Back to top
View user's profile Send private message
MadameX
Site Admin


Joined: 12 Jul 2004
Last Visit: 27 Apr 2008
Posts: 1438

PostPosted: Wed Aug 15, 2007 3:18 pm    Post subject: Reply with quote

I've gotten quite a few of these, myself.

Or rather, got notif from my ISP telling me that they were denied because of the worm, which they identified.
_________________
CARMA
Back to top
View user's profile Send private message Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 27 Aug 2014
Posts: 10323
Location: sunny California

PostPosted: Wed Aug 15, 2007 3:24 pm    Post subject: Reply with quote

Outlook recognizes these as dangerous and disables the links by default, which is good. And many of them are caught by the spam filter on my mail server.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Nightmaretony
Warrior


Joined: 15 Mar 2005
Last Visit: 30 Jun 2011
Posts: 256
Location: Meadowbrook

PostPosted: Wed Aug 15, 2007 4:57 pm    Post subject: Reply with quote

Yahoo catches them in the bulk spam folder pronto. So hilarious si9nce there are so many going round. Still dangerous but sad to those who know...
_________________
For this is the place
where dreams
and nightmares
are birthed
and bred

Nightmare Park
Back to top
View user's profile Send private message Visit poster's website AIM Address
harrywaldron
Junior Member


Joined: 24 Jul 2007
Last Visit: 09 Apr 2009
Posts: 43
Location: Roanoke, Virginia

PostPosted: Fri Aug 17, 2007 9:54 am    Post subject: Reply with quote

Below are recent links on the latest "animated e-card variants". One point of concern comes from AVERT Labs on the constant repackaging of Nuwar to evade AV detections EVERY FEW MINUTES. No wonder AV vendors are in the 30% detection range, as Nuwar is constantly mutating in an automated fashion. A few years ago, security researchers speculated on the "super worm" that would constantly mutate so that AV detection strings couldn't keep pace with in-the-wild copies circulating. Unfortunately, we're getting closer to seeing this prediction come true

AVERT LABS - Keeping up with Nuwar
http://www.avertlabs.com/research/blog/index.php/2007/08/15/keeping-up-with-nuwar/

Quote:
Well, given that Nuwar is polymorphically repacked every few minutes and a functionally new version is released every day, that was hardly surprising. I zipped the samples up and sent them to our virus researchers to produce detection for them ...


F-Secure - Zhelatin gang changing tactics
http://www.f-secure.com/weblog/archives/archive-082007.html#00001249

Quote:
Over the last few weeks, we've seen tons of ecard.exe spam, where fake greeting card mails have been spammed out. The messages have not contained an attachment, but just links to web sites that offer a download of one ecard.exe to your machine.Since last night, the messages have changed. You still get the normal greeting card spam. But when you follow the link, the web site now talks about the need for you to install "Microsoft Data Access" to your computer ...


WebSense Alert on new storm worm
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=792
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Virus, Worm &Trojan Alerts All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group