Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Storm Worm - 4th Of July Subject Lines


  • Please log in to reply
2 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:04:58 AM

Posted 03 July 2007 - 08:52 PM

New Storm worm - 4th of July subject lines

Posted Image Another new variant of the Storm worm to avoid:

New Storm worm -- 4th of July subject lines
http://isc.sans.org/diary.html?storyid=3090

EMAIL SUBJECT LINES TO AVOID:
Celebrate Your Independence
Independence Day At The Park
Fourth of July Party
American Pride, On The 4th
God Bless America
Happy B-Day USA
July 4th Family Day
Your Nations Birthday
July 4th B-B-Q Party
Happy 4th July
4th Of July Celebration
Fireworks on the 4th
Happy Birthday America
Independence Day Celebration
Celebrate Your Nation
Americas B-Day
America's 231 Birthday


BC AdBot (Login to Remove)

 


#2 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:04:58 AM

Posted 04 July 2007 - 08:54 AM

There are additional new subject lines circulating which are part of the 4th of July e-card theme attacks :thumbsup:

The e-card link is the dangerous part of these massively spammed emails. These messages should be deleted to avoid a virus that can be downloaded and installed automatically from malicious websites (by just clicking on the URL).

An example that has been made safe from the inbox ... Please keep your AV protection as up-to-date as possible and most importantly use avoidance on all suspicious attachments and URLs.

Please be careful out there :flowers:

From:	"greet2k.com" 
To:	harry
Subject:	Fireworks on The 4th
Date:	Wed, 4 Jul 2007 20:44:42 +0900

Hi. School-mate has sent you an ecard. See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your card's direct www address below while you are connected to the Internet:

http://[NUMERIC IP ADDRESS REMOVED FOR SAFETY]/?076a3db573383e1a7a85955  

Or copy and paste it into your browser's "Location" box (where Internet addresses go).
	 


PRIVACY
greet2k.com honors your privacy. Our home page and Card Pick Up have links to our Privacy Policy.

TERMS OF USE 
By accessing your card you agree we have no liability. If you don't know the person sending the card or don't wish to see the card, please disregard this Announcement.

We hope you enjoy your awesome card.

Wishing you the best,
Mailer-Daemon,
greet2k.com


#3 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:04:58 AM

Posted 05 July 2007 - 09:03 AM

AV vendors are starting to post updated virus signature information as follows:

F-Secure - HTML Postcards.N Information
http://www.f-secure.com/v-descs/trojan_htm...stcards_n.shtml

QUOTE: Files that are detected as HTML/Postcard.N@troj are EML files that state that the recipient has received a greeting card from a friend, relative, or classmate. The recipient is encouraged to click on a link or to visit a website and enter their eCard number to view the message. When the user click this link, another page will appear stating that a new browser feature is currently being tested. The recipient is asked to click another link pointing to a file, usually named ECARD.EXE. We are detecting these files as Email-Worm.Win32.Zhelatin.


Trend - NUWAR.GU Information
http://www.trendmicro.com/vinfo/virusencyc...RM%5FNUWAR%2EGU

Trend - NUWAR.GU Behavioral Diagram
http://www.trendmicro.com/vinfo/images/WORM_NUWAR_GU_BD.gif

QUOTE: This worm propagates via email. On spammed email messages purporting to be electronic greeting cards (eCards) sent by contacts known to a target user, it includes a link where a malicious JavaScript detected by Trend Micro as JS_DLOADER.NUF is hosted. The said eCards supposedly come from legitimate eCard Web sites. It gathers target email addresses from files with the certain file name extensions. It uses its own Simple Mail Transfer Protocol (SMTP) engine to send the email message. Having its own SMTP engine allows it to send messages without using any mailing application, such as Microsoft Outlook. This worm also injects a TCP/IP device driver so as to hide its network activities. In addition, it injects itself to a legitimate process to hide its malicious activities such as its email propagation routine.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users