Security Bytes

Jun 29 2007   8:04AM GMT

Web watchers warn of new Storm attack

Leigha Leigha Cardwell Profile: Leigha

The prolific Storm malware is on the attack again, according to the folks at the SANS Internet Storm Center (ISC). ISC handler Lorna Hutcheson wrote on the storm center Web site that the latest email attack includes a subject line that says “You’ve received a postcard from a family member!” From there, variations of the email text are as follows (WARNING: DO NOT CLICK ON THE URLs BELOW):

——–
OPTION 1
——–

Click on the following Internet address or
copy & paste it into your browser’s address box.

http://200xxxxxxxxxxxxxxxx

——–

OPTION 2

——–

Copy & paste the ecard number in the “View Your Card” box at

http://200.8xxxxxxxx

Your ecard number is 08a823e96272575cbcxxxx

Hutcheson says the Web site has some interesting javascript that “appears to have multiple ways to exploit a browser in order to compromise a system.” If javascript is enabled, she says, the user receives this:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7 which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

She adds: “If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get MD5 (ecard.exe) = 30051dc10636730e4d6402ef8e88fd04.”

Here is what a user would see:

“We are currently testing a new browser feature. If you are not able to view this ecard, please click here (/ecard.exe) to view in its original format.”

From there, the ISC lists a bunch of other code variations and a long list of compromised home machines being used in the attacks.

This is just another reminder not to click emailed URLs if they don’t come from a trusted source.

Technorati Tags: ,

10  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • computer.dude.28
    This is going around again, this time with an IP address of 74.99.XXX.XXX
    0 pointsBadges:
    report
  • computer.dude.28
    and it tries to install "Remote Data Services Data Control" add-on from "Microsoft Corporation"
    0 pointsBadges:
    report
  • chris jarrett
    Will this exploit affect Firefox or just internet explorer and what about the affect of it on Linux and other alternate operating systems?
    0 pointsBadges:
    report
  • 082670
    I'm not 100% certain about how this might affect Linux, but everything I've been told so far indicates that this is primarily a problem for Windows users running either Internet Explorer or Firefox.
    1,090 pointsBadges:
    report
  • chris jarrett
    Because it is a javascript exploit using the NoScript plugin for Firefox will prevent infection unless you click the link. It will also cut down on lagging background scripting while making Firefox all that more secure.
    0 pointsBadges:
    report
  • Storm malware posing as fake security warnings — Security Bytes
    [...] The Storm malware is using yet another trick in its endless push for world domination. Two weeks ago Storm passed itself off as a greeting card from family members to trick people into clicking on malicious URLs in their email inbox. Last week it tried to use patriotic messages to dupe people into getting infected. [...]
    0 pointsBadges:
    report
  • Frank
    Found this, found a way to remove it. Here is goes. 1. Disable System Restore 2. Boot into safe mode (possibly didn't try doing it without) 3. Once in safe mode go to device manager (in system properties) 4. Click view and 'Show Hidden Devices' 5. Find the device under 'non plug and play devices' that looks suspicious, i've seen variants that start Windev - fourrandom characters - fourrandomcharacters, and some that start vdo - somethings - something 6. Uninstall this device 7. Browse to your C:\windows\system32 directory and find the file name that corresponds to the device that was shown in device manager and delete it 8. Search the registry for that same string, and delete all references, there hsould be one in current config, and somewhere else I believe, THis process worked for me, hopefully it will work for other people
    0 pointsBadges:
    report
  • psiborg999
    This is really just a Microsoft exploit. I use Linux ONLY and my antivirus (KLAMAV) fount it on-the-fly and quarantined it. No intervention was necessary. Info as follows: EXPLOIT: Trojan.Small-3263 The payload file "ecard.exe" was sent in two different emails, both arriving within seconds of each other, from: dgreetings.com and riversongs.com Set blocking filters accordingly. Windows People! Just don't open the attachment! *.exe's DON'T belong in emails!
    0 pointsBadges:
    report
  • Justin White
    RE: *.exe’s DON’T belong in emails! and Windows People! Just don’t open the attachment! The exploit points them to a website via a link in the e-mail or the user must manually paste the url into a web browser. Their are no attachments or .exe's involved. Am I wrong??
    0 pointsBadges:
    report
  • Apple User
    And yet, all you IDIOTS just keep using Windoze! When will you wise up and join the masses already making a huge exodus to Macs? You bring it on yourselve... really. Have fun!
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: