More New Year Storm Waves...

It seems that four waves of New Year Ecard notification e-mails isn't enough for the Storm Worm Gang with the weekend bringing two more nice new shiny versions. Looks like the Storm Worm Gang are stuck in a rut at the moment, you can see what I mean from the screenshots I captured and have included in this posting!

Here's a screenshot of what just one of the fifth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [yet another new one], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the fifth wave of New Year themed e-mails.




Here's a screenshot of what just one of the sixth wave of New Year based emails look like:



The body text can be one of a number of text strings and the link, at the moment is once more, an actual domain name [yes, yet another new one!], rather than the more usual IP address based links.

Of course, when you click on the link you go to a very simple looking site. Here is a screenshot of the web page you could end up on if you click on the link in one of the sixth wave of New Year themed e-mails.



The website HTML code is the same as the last three waves and still includes a JavaScript routine to obfuscate the URL to the malware file being offered as a fake New Year Ecard, in this case the real filename being offered is still 'happynewyear2008.exe' in both of the new waves seen over the weekend.

Just to make it crystal clear, the file offered on this site will NOT show you a seasonal 'New Year E-card!; All that will happen is that your computer will be infected and turned in to a zombie [bot infected computer that is part of a botnet], if it is not protected by any mitigating technologies, such as up-to-date anti-virus, and so on.

At the time of publishing this entry detection was still very patchy, with a number of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

I'm just wondering how many waves it is going to take to get the Storm Worm Gang to change their tactics once more, any offers? ;-)

UPDATE1:
More new waves have now appeared, these use the following domain names, and filenames:

Domain: happy2008toyou . com hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: hellosanta2008 . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: hohoho2008 . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Domain: happysantacards . com also hosting the Filename: happy_2008.exe [31st Dec 2008]

Please do not go to those sites and download the files offered, as they are real, live, malware.

I've now created and put up a video on my YouTube channel here: http://www.youtube.com/momusings This shows all ten of the New Years fake e-card sites, from the start on the 26th of December 2007 until the tenth variant which arrived mid-afternoon on the 31st December 2007.

UPDATE2:
More waves were released on the 1st and 2nd of January, these use the same e-mail notifications and the website style is similar to that used in the previous waves. They are using more new domains, details below:

Domain: santapcards . com hosting the Filename: happy_2008.exe [1st Jan 2008]

Domain: parentscards . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: postcards-2008 . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: santawishes2008 . com also hosting the Filename: happy_2008.exe [2nd Jan 2008]

Domain: merrychristmasdude . com also hosting the Filename: happy_2008.exe [3rd Jan 2008]

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.