Wednesday, August 22, 2007

This Storm's For You

The "Storm" Trojan malware worm is on the loose - and it can affect you - or someone you know. The thing that makes this little gem so different from the "normal" malware crap - is that it can change and morph by itself.

The latest junk mails almost always pose as confirmation messages for an account that you have supposedly already created. The sites are for stuff like "CoolPics", "Joke-A-Day", "Web Players" or more than 15 other names.

The email "confirms" your sign up with an account number and "temporary password" - then encourages you to go to a web site to change the password. BE AWARE: The website is always a numbered IP address and not a real domain (e.g. rather than

As a general rule - even when a "real" domain is displayed - check the roll over link (usually in the bottom right of your email client) to make sure you're going to the actual site displayed - or better yet - set your preferences to receive mail in text only format rather than HTML.

The scammers/spammers apparently have tired of using an e-card come-on and have now switched to the aforementioned account confirmation or the tried-and-true offer of nude pictures and pornography. All the spam tries to get the user to download an application called "applet.exe" for download - supposedly a "secure sign in" application - and that's where the fun begins.

Because this worm morphs - it's difficult for anti-virus companies to get a jump on it. Just when they update their definitions to block a certain signature, the thing morphs into something else.

Since back-to-school is just around the corner - my guess is that they're getting geared up for the unsuspecting semi-computer-literate/drunk-with-nothing-to-do crowd to take the bait. Once a system is infected, it's very difficult to get it clean again.

This worm affects Windows (shocker!) - but can also infect Windows Virtual PC, Mac OS X systems running Parallels - and it can even VMware.

It detects VMware by looking for a particular number supported in VMware's I/O port (something that can be easily changed) and it detects Virtual PC by running illegal instruction opcodes, which generates errors only if the software is running on a physical system and not a virtual machine.

Yet another reason to email your mom, grandparents and/or grads heading off to college...

UPDATE: Here's an actual message I received about 5 minutes go (I changed the URL in the link from a numeric IP address - but notice how it was masked):

Dear Member,

Thank You for Joining Wine Lovers.

Confirmation Number: 65971419
Temorary Login: user6050
Temorary Password: vr634

Please keep your account secure by logging in and changing your login info.

Click here to enter our secure server: Wine Lovers

Technical Services
Wine Lovers

No comments:

Web Analytics