News Stay informed about the latest enterprise technology news and product updates.

Web watchers warn of new Storm attack

The prolific Storm malware is on the attack again, according to the folks at the SANS Internet Storm Center (ISC). ISC handler Lorna Hutcheson wrote on the storm center Web site that the latest email attack includes a subject line that says “You’ve received a postcard from a family member!” From there, variations of the email text are as follows (WARNING: DO NOT CLICK ON THE URLs BELOW):

——–
OPTION 1
——–

Click on the following Internet address or
copy & paste it into your browser’s address box.

http://200xxxxxxxxxxxxxxxx

——–

OPTION 2

——–

Copy & paste the ecard number in the “View Your Card” box at

http://200.8xxxxxxxx

Your ecard number is 08a823e96272575cbcxxxx

Hutcheson says the Web site has some interesting javascript that “appears to have multiple ways to exploit a browser in order to compromise a system.” If javascript is enabled, she says, the user receives this:

MD5 (tm.exe) = 07276fce39282fd182757d2557f9eca7 which is a downloader that gets this:

MD5 (logi.exe) = 4aa22564a0b886226d8cf14456a598ab

She adds: “If javascript is disabled, then they provide you a handy link to click on to exploit yourself and you get MD5 (ecard.exe) = 30051dc10636730e4d6402ef8e88fd04.”

Here is what a user would see:

“We are currently testing a new browser feature. If you are not able to view this ecard, please click here (/ecard.exe) to view in its original format.”

From there, the ISC lists a bunch of other code variations and a long list of compromised home machines being used in the attacks.

This is just another reminder not to click emailed URLs if they don’t come from a trusted source.

Technorati Tags: ,

Join the conversation

10 comments

Send me notifications when other members comment.

Please create a username to comment.

This is going around again, this time with an IP address of 74.99.XXX.XXX
Cancel
and it tries to install "Remote Data Services Data Control" add-on from "Microsoft Corporation"
Cancel
Will this exploit affect Firefox or just internet explorer and what about the affect of it on Linux and other alternate operating systems?
Cancel
I'm not 100% certain about how this might affect Linux, but everything I've been told so far indicates that this is primarily a problem for Windows users running either Internet Explorer or Firefox.
Cancel
Because it is a javascript exploit using the NoScript plugin for Firefox will prevent infection unless you click the link. It will also cut down on lagging background scripting while making Firefox all that more secure.
Cancel
[...] The Storm malware is using yet another trick in its endless push for world domination. Two weeks ago Storm passed itself off as a greeting card from family members to trick people into clicking on malicious URLs in their email inbox. Last week it tried to use patriotic messages to dupe people into getting infected. [...]
Cancel
Found this, found a way to remove it. Here is goes. 1. Disable System Restore 2. Boot into safe mode (possibly didn't try doing it without) 3. Once in safe mode go to device manager (in system properties) 4. Click view and 'Show Hidden Devices' 5. Find the device under 'non plug and play devices' that looks suspicious, i've seen variants that start Windev - fourrandom characters - fourrandomcharacters, and some that start vdo - somethings - something 6. Uninstall this device 7. Browse to your C:\windows\system32 directory and find the file name that corresponds to the device that was shown in device manager and delete it 8. Search the registry for that same string, and delete all references, there hsould be one in current config, and somewhere else I believe, THis process worked for me, hopefully it will work for other people
Cancel
This is really just a Microsoft exploit. I use Linux ONLY and my antivirus (KLAMAV) fount it on-the-fly and quarantined it. No intervention was necessary. Info as follows: EXPLOIT: Trojan.Small-3263 The payload file "ecard.exe" was sent in two different emails, both arriving within seconds of each other, from: dgreetings.com and riversongs.com Set blocking filters accordingly. Windows People! Just don't open the attachment! *.exe's DON'T belong in emails!
Cancel
RE: *.exe’s DON’T belong in emails! and Windows People! Just don’t open the attachment! The exploit points them to a website via a link in the e-mail or the user must manually paste the url into a web browser. Their are no attachments or .exe's involved. Am I wrong??
Cancel
And yet, all you IDIOTS just keep using Windoze! When will you wise up and join the masses already making a huge exodus to Macs? You bring it on yourselve... really. Have fun!
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close