Ross
Well-known member
Many if not all of you have seen email from various clubs with links to click on to verify your membership. DO NOT CLICK ON THOSE LINKS!!!!!! Trash the message and move on. This thing is taking over machines.
http://isc.sans.org/
Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs". Here is a sample I just got:
--------------------------------------------------------------------------------
Subject: Login InformationDear Member,Are you ready to have fun at CoolPics.Account Number: 73422529174753Your Temp. Login ID: user3559Temorary Password: jz438Please Change your login and change your Login Information.This link will allow you to securely change your login info: http://a.b.c.d/Thank You,New Member Technical SupportCoolPics
--------------------------------------------------------------------------------
I have seen about a dozen different once so far. They are all "confirmations" in this style to various web sites. The web page offers again an "applet.exe" for download.
In short: We don't need to enumerate variants of the e-mail message. If you are brave and know what you are doing, download the applet.exe and try to reverse it (not easy typically). Thunderbird warned me that the link is a scam. (I think it does so for all numeric IP links).
My copy of applet.exe was about 114 kB large. While many AV scanners detect it as "evil" based on heuristic signatures, some well known scanners don't (maybe Virustotal is running them without heuristic turned on, or they just don't do it)
IMHO: this is a lost cause. People are either infected or they know how to protect themselves.
(From virustotal.com)
File applet.exe received on 08.21.2007 05:21:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 14/32 (43.75%)Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.21 -
AntiVir 7.4.1.62 2007.08.20 WORM/Zhelatin.Gen
Authentium 4.93.8 2007.08.20 Possibly a new variant of W32/Fathom.2-based!Maximus
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 Downloader.Tibs.7.D
BitDefender 7.2 2007.08.21 Trojan.Peed.IFS
CAT-QuickHeal 9.00 2007.08.20 (Suspicious) - DNAScan
ClamAV 0.91 2007.08.21 Trojan.Small-3614
DrWeb 4.33 2007.08.20 Trojan.Packed.142
eSafe 7.0.15.0 2007.08.20 Suspicious Trojan/Worm
eTrust-Vet 31.1.5076 2007.08.21 Win32/Sintun.AC
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.21 -
Fortinet 2.91.0.0 2007.08.21 -
F-Prot 4.3.2.48 2007.08.20 W32/Fathom.2-based!Maximus
F-Secure 6.70.13030.0 2007.08.21 -
Ikarus T3.1.1.12 2007.08.20 -
Kaspersky 4.0.2.24 2007.08.21 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.21 Worm:Win32/Nuwar.gen
NOD32v2 2472 2007.08.21 -
Norman 5.80.02 2007.08.20 -
Panda 9.0.0.4 2007.08.19 -
Prevx1 V2 2007.08.21 -
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.21 VIPRE.Suspicious
Symantec 10 2007.08.21 Trojan.Packed.13
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.21 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.21 Worm.Zhelatin.Gen
Additional information
File size: 114623 bytes
MD5: 7d2dacd867a50e467d6a2a8eedd28e51
SHA1: 73a4a9317c5c12318ae32f7d6819f93c13d72ad0
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
(I replaced the numeric IP address with 'a.b.c.d')
http://isc.sans.org/
Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs". Here is a sample I just got:
--------------------------------------------------------------------------------
Subject: Login InformationDear Member,Are you ready to have fun at CoolPics.Account Number: 73422529174753Your Temp. Login ID: user3559Temorary Password: jz438Please Change your login and change your Login Information.This link will allow you to securely change your login info: http://a.b.c.d/Thank You,New Member Technical SupportCoolPics
--------------------------------------------------------------------------------
I have seen about a dozen different once so far. They are all "confirmations" in this style to various web sites. The web page offers again an "applet.exe" for download.
In short: We don't need to enumerate variants of the e-mail message. If you are brave and know what you are doing, download the applet.exe and try to reverse it (not easy typically). Thunderbird warned me that the link is a scam. (I think it does so for all numeric IP links).
My copy of applet.exe was about 114 kB large. While many AV scanners detect it as "evil" based on heuristic signatures, some well known scanners don't (maybe Virustotal is running them without heuristic turned on, or they just don't do it)
IMHO: this is a lost cause. People are either infected or they know how to protect themselves.
(From virustotal.com)
File applet.exe received on 08.21.2007 05:21:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 14/32 (43.75%)Antivirus Version Last Update Result
AhnLab-V3 2007.8.21.0 2007.08.21 -
AntiVir 7.4.1.62 2007.08.20 WORM/Zhelatin.Gen
Authentium 4.93.8 2007.08.20 Possibly a new variant of W32/Fathom.2-based!Maximus
Avast 4.7.1029.0 2007.08.20 -
AVG 7.5.0.484 2007.08.20 Downloader.Tibs.7.D
BitDefender 7.2 2007.08.21 Trojan.Peed.IFS
CAT-QuickHeal 9.00 2007.08.20 (Suspicious) - DNAScan
ClamAV 0.91 2007.08.21 Trojan.Small-3614
DrWeb 4.33 2007.08.20 Trojan.Packed.142
eSafe 7.0.15.0 2007.08.20 Suspicious Trojan/Worm
eTrust-Vet 31.1.5076 2007.08.21 Win32/Sintun.AC
Ewido 4.0 2007.08.20 -
FileAdvisor 1 2007.08.21 -
Fortinet 2.91.0.0 2007.08.21 -
F-Prot 4.3.2.48 2007.08.20 W32/Fathom.2-based!Maximus
F-Secure 6.70.13030.0 2007.08.21 -
Ikarus T3.1.1.12 2007.08.20 -
Kaspersky 4.0.2.24 2007.08.21 -
McAfee 5101 2007.08.20 -
Microsoft 1.2803 2007.08.21 Worm:Win32/Nuwar.gen
NOD32v2 2472 2007.08.21 -
Norman 5.80.02 2007.08.20 -
Panda 9.0.0.4 2007.08.19 -
Prevx1 V2 2007.08.21 -
Rising 19.36.60.00 2007.08.19 -
Sophos 4.20.0 2007.08.12 -
Sunbelt 2.2.907.0 2007.08.21 VIPRE.Suspicious
Symantec 10 2007.08.21 Trojan.Packed.13
TheHacker 6.1.8.171 2007.08.20 -
VBA32 3.12.2.2 2007.08.21 -
VirusBuster 4.3.26:9 2007.08.20 -
Webwasher-Gateway 6.0.1 2007.08.21 Worm.Zhelatin.Gen
Additional information
File size: 114623 bytes
MD5: 7d2dacd867a50e467d6a2a8eedd28e51
SHA1: 73a4a9317c5c12318ae32f7d6819f93c13d72ad0
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
(I replaced the numeric IP address with 'a.b.c.d')
