The group responsible for propagating the malicious program commonly known as the Storm Worm changed tactics this week, using e-mail messages masquerading as verification announcements from online Web sites and clubs to lure victims.
The e-mail messages use a fairly regular format, including a brief greeting, a supposed temporary login name and password, and a link to a malicious Web site, according to antivirus firms. The destination site will tell the user that, to log on, they need to download a secure login applet. Victims that do install the software will become infected with the Storm Worm bot software.
The names of the online Web sites used in the e-mail messages appear to be constructed from two randomly chosen words and include names "Fun World," "Internet Dating," and "MP3 World." In addition, there is some evidence that the Storm Worm is using the MPack infection tool kit to compromise systems.
The Storm Worm, also known as Zhelatin and Nuwar, first started spreading in January using fairly large, but controlled, bursts of e-mail routed through previously compromised computers. Each burst typically sent out a custom variant, trying to infect systems before the user updated their antivirus definitions. The original program compromised systems by luring users into opening the attachments of messages with subject lines regarding news events, including violent storms in Europe--a characteristic that led to the program's naming.
Earlier this month, the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) sent out a warning to universities after a number of denial-of-service attacks appeared to be aimed in retribution at schools which had scanned systems for Storm Worm infections.
Posted by: Robert Lemos