Don't 'Fool' For It...

Normally I do my own April Fools blog posting, using some bogus malware, anti-malware or other computer related bit of nonsense for a bit of fun, and hopefully you find them funny, or at least interesting?

However, this year I didn't need to bother, as the Bad Guys and Girls have their own; trouble is, it isn't a joke, and it certainly isn't funny!

It seems that the so-called 'Storm Worm Gang' are back playing the fool again and couldn't resist the opportunity to try and get you to infect your computer using the guise of a April Fools e-card. This new wave started late last night/early this morning [depending where you are in the world]:

The subjects of the e-mails I've seen so far include:

Surprise!
Happy April Fools!
Happy All Fool's Day
Gotcha! April Fool!
Gotcha! All Fool!
I am a Fool for your Love
Today You Can Officially Act Foolish
Join the Laugh-A-Lot
Surprise! The joke's on you

The body of all the e-mails seen so far contain a single line of text and a URL [the usual dotted IP sort, e.g. http://100.123.12.1]

Here's a screenshot of one of the emails that I've received this morning:



If you are foolish enough to click on the link in the email, you'll end up on a page that looks like this:



After 5 seconds you'll see a download dialogue box, like this:



And here is the source of the web page currently in use:



However you spend the day, whatever jokes you play, or end up the victim of, don't 'Fool' for this one, as otherwise you computer will get infected and the Bad Guys and Girls will have the last laugh again, at you expense!.

At the time of posting this blog entry the detection of the offered 'funny.exe' file was rather poor, with less than half of 32 tested scanners identifying that this is a malicious file. This is the default file and is automatically offered for download [within 5 seconds of the page rendering].

You may have noticed that two other filenames appear in the HTML source; these are:

kickme.exe
foolsday.exe

If you click on the image, you get kickme.exe, and if you click on "click here" you get foolsday.exe. instead.

If I get any further useful data or news then I'll try and update this entry later today or tomorrow.

Whilst I was browsing the web looking for a good basis for an April Fools blog posting, I found these:

• Unusual banking trojan found today


• RAPIL - a slap in the face for hackers and virus writers

Please let me know if you spot any more, thanks!