Late For Christmas, Early For New Year - TNG!

It seems that three waves of New Year Ecard notification e-mails isn't enough for the Storm Worm Gang, this morning brought me a nice new shiny version, ho hum!

Here's a screenshot of what just one of the fourth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [another new one], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the fourth wave of New Year themed e-mails.



And here is a screenshot of the source HTML for the site shown above, showing the filename that this wave offered:



As I said in my posting yesterday [27th December 2007]:

"Usually, the websites used by the Storm Worm Gang are loaded with exploit code so that any vulnerable systems get automatically infected, however, in these cases [so-far], they are just using social engineering to get you to infect your own computer by clicking on the link and running the file."

It seems that they were listening, as this new wave now includes a JavaScript routine to obfuscate the URL to the malware file being offered as a fake New Year Ecard, in this case the real filename being offered is 'happynewyear2008.exe'.

Just to make it crystal clear, the file offered on this site will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.