They're Back!!! Beijing Earthquake

Early this morning we started to see emails pushing a new variant of the so-called 'Storm Worm'. These are using a similar tactic to those that gave the malware authors their name, in this case it isn't real storms it is a fictional new earthquake in Beijing, China.

Here is a screenshot showing many of the subject lines seen so far for this new Storm Worm run:



Here is a screenshot of one of the e-mails I have received:



Most of them do not have the anti-virus scanning message at the bottom, I picked this one as I'm not sure whether this was added by one of the infected clients, or as part of the next wave, as some form of extra social-engineering ploy. It should also be noted that they have gone back to using real domain names for this run, instead of their more usual dotted IP addresses. According to F-Secure, these are all flast-fluxed.

Here's a screenshot of the website you would end up on if you clicked on the link:



The file offered is not a video, it is, not surprisingly an executable file, here are the details of a sample I downloaded earlier today.

FileName: beijing.exe
FileDateTime: 19/06/2008 12:56:05
Filesize: 83608
MD5: 3752f1a45c897471369f5f17dc42c8ee
CRC32: DA97A2FB
File Type: PE Executable

Here are the scan results of the currently offered file 'beijing.exe' as scanned by over 30 up-to-date malware scanners:

@Proventia-VPS NOT DETECTED
AntiVir Worm/Zhelatin.zc
Avast! Win32:TDrop [Drp]
AVG NOT DETECTED
BitDefender Trojan.Peed.JLV
CA-AV NOT DETECTED
CA-AV (BETA) NOT DETECTED
ClamAV NOT DETECTED
Command NOT DETECTED
Dr Web NOT DETECTED
eSafe File [100] (suspicious)
Ewido NOT DETECTED
F-Prot NOT DETECTED
F-Secure NOT DETECTED
F-Secure (BETA) NOT DETECTED
Fortinet NOT DETECTED
Fortinet (BETA) NOT DETECTED
Ikarus Email-Worm.Win32.Zhelatin.zy
Kaspersky NOT DETECTED
McAfee NOT DETECTED
McAfee (BETA) NOT DETECTED
Microsoft NOT DETECTED
Nod32 Win32/Nuwar worm
Norman NOT DETECTED
Panda NOT DETECTED
Panda (BETA) NOT DETECTED
QuickHeal NOT DETECTED
Rising NOT DETECTED
Sophos W32/Nuwar-E
Sunbelt NOT DETECTED
Symantec NOT DETECTED
Symantec (BETA) NOT DETECTED
Trend Micro NOT DETECTED
Trend Micro (BETA) NOT DETECTED
VBA32 NOT DETECTED
VirusBuster NOT DETECTED
WebWasher Worm.Zhelatin.zc
YY_A-Squared NOT DETECTED
YY_Spybot Worldsecurityonline.FakeAlert,,Executable

It should also be noted that the Storm-Worm gang are trying something new with this new variant, they are using Alternate Data Streams [ADS] , in this case there is an ADS called Zone.Identifier, which is a text file that contains:

[ZoneTransfer]
ZoneId=3

I'm not quite sure what they are using this for at the moment, maybe some form of tracking data?

UPDATE: This may actually be nothing to do with the Storm Worm gang after all [the ADS part, that is], as it seems that this may be a new 'feature' of Firefox 3.x instead, sneaky!

So what do you do if you receive such an e-mail? Simply delete it, do not click on the link and definitely do not download and launch the file that is offered, and finally update your anti-virus at least once a day, as otherwise you will become a victim. Hopefully most anti-virus products will be able to detect this within the next 24 hours.