New Storm Variant Hits?.

by Dave2 on February 12th, 2008 in Security Alert.

 

"just in time for Valentines Day. A new variant of the well known storm worm hit email boxes last night, AdAware detects Storm as Zhelatin, this time with an exe simply named "valentine.exe". In January we saw the first wave of the Storm Valentines propagation email campaign, back now with a few slight changes but enough to make it undetectable by most Anti-Malware applications.

Some of the Subject lines for this new variant include:

"Just you", "Rockin' Valentine", "My Heart", "Be My Valentine" and I'm sure many others.

Some of the bodies include:

"World Love", "Powerful Love", "My Love", and "Rockin' Valentine" again there are many others.

The body text is followed by a ip based url.

The web pages for Storm now sport pretty Valentines Day card like images, sort of like the ones we all received when we were children.

When executed valentine.exe adds a service to the registry and a .sys and an .ini file into %system32%. The .ini file has a constant name diperto.ini and the sys file has a name similar to this diperto3de3-4a72.sys, with diperto being constant. The service from what I have seen carries the same name as the .sys file.

For some more info on Storm check out the "Bad Behavior" section of the January Lavasoft Newsletter.

 

Happy early Valentines Day everyone, be safe and watch out for these nasty emails.