From Storm With Love...

It seems that the Storm Worm Gang have decided that you all need some loving, so they are now sending out fake e-card e-mail notifications informing you how much they love you, because you make their job of building botnets so easy ;-)

Either that or their calendar is screwed up again; they almost missed Christmas and were then very early for New Year!

Here's a screenshot of what just one of these new With Love based emails look like:



The body text can be one of a number of text strings. The rest of the e-mail is usually a link, this time they have gone back to using IP addresses rather than actual domain names, not sure why? The IP addresses used are varied, so don't just think that they use just the one shown in the example here.

Of course, when you click on the link you go to a very nice, but fake e-card site.

Here is a screenshot of the web page you could end up on if you click on the link in one of these fake With Love themed e-mails.



Here's a screenshot showing the HTML source for the page, does it look familiar? It should as this is almost exactly the same code used during the New Year campaign.



The message shown is fake, the 'withlove.exe' file offered isn't an ecard offering words of love from an admirer, partner or colleague, in other words, if you are unwise enough to download the file and run it you won't get to see an ecard, in fact you will get a bot installed instead and your computer will join one of the many Storm Worm botnets.

At the time of publishing this entry detection was almost non-existent, with most of the top anti-virus products not detecting the malware laden file as infected, you have been warned.

As mentioned before, please do not go to these sites and download the files offered, as they are real, live, malware.

More details on the file currently being offered can be found here on my VSUB blog, complete with detection results at the time of publishing.