MoMusings: Another Stormy Valentine's Day...

...Coming To A PC Near You, Soon!

I hope that you are all ready for a safe and pleasant, if not wonderful, Valentines Day on Thursday?

It seems that the so-called 'Storm Worm Gang' are back playing cupid again and couldn't resist the opportunity to try and get you to infect your computer again using the guise of a valentine e-card, again. The latest wave of these started early this morning:

The subjects of the e-mails I've seen so far include:

Blind Love
Heart pump
Love Rose
Phone Love
With All My Love
Valentine Friends
Happy Valentine's day!
The love Train
You're Super Sweet
Me & You

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1], here are just a small selection of the text I've seen used so far:

A Hearty Wish
Love You
My Heart
Rockin' Valentine
Smiley Kiss
You Stay In My Heart
Valentine Friends

Here's a screenshot of one of the email that I've received this morning:

If you are foolish enough to click on the link in the email, you'll end up on a page that looks like one of these [these are not all the known permutations], the graphic shown on the website is randomly chosen from a pool of at least 6:

And here is the source of the web page currently in use:

However you spend the day, whatever you do for the 'love-of-your-life', don't become part of the collateral damage of the annual 'Valentine's Day [Malware] Massacre'.

If I see anymore 'bogus' Valentine's Day e-mails, I'll try and post details here when I can. Also, if you see any that I haven't yet posted about, then please let me know.

Hopefully, between us we can try and keep the annual massacre down to a mere scuffle! ;-)

At the time of posting this blog entry the detection of the offered 'valentine.exe' file was very poor, with only 4 out of 32 tested scanners identifying that this is a malicious file.

Furthermore the file being offered is not a static binary, as in my testing so far each request ends up serving a file which appears to be different in size, I'm not sure whether this is a case of server-side polymorphism or just a pool of pre-compiled executables from which one is chosen at random.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

UPDATE: The URLs [Web links] included in the e-mail may also now be domain names containing the word 'moon' which I will omit from the web links I have seen so far, see below: