Posted on Tuesday, January 15th, 2008 | Bookmark on del.icio.us

Storm Loves You – New Campaign, Valentine’s Day Theme

by Jose Nazario

Welcome to “All Storm, All the Time!”, this time we delve into the malware that loves us.

I just got this email while I was out to lunch. I suspected Storm, so I grabbed it and sure enough, inspection reveals it’s a pointer to a storm node.


> Date: Tue, 15 Jan 2008 19:49:11 +0200
> From: olivier@aiyaracenter.com
> Subject: Sending You My Love
>
> Sending You All My Love http://24.210.161.135/

Defanged HTML when you visit that page …


> [!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
> [html xmlns="http://www.w3.org/1999/xhtml">
> [meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
> [title>With Love![/title>
> [body>
> [center>
> [script language="javascript">
> document.write( unescape(
> '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0
> A' ) );
> [/script>
> [img border=0 src="Hearts.jpg">[br>[/a>
> Your download should begin shortly. If your download does not start [br>in
> 10-20 seconds,
> you can [!-- a href="fck2008.exe" !-->
> [!-- a href="fck2009.exe" -->
> [script language="javascript">
> document.write( unescape(
> '%3C%61%20%68%72%65%66%3D%22%77%69%74%68%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A'
> ) );
> [/script>click here[/a> to launch the download [br>and then press Run.
> [b>[font color=#FF0066>Enjoy![/font>[/b>
> [/center>
> [/body>
> [/html>

And here’s what the page looks like when you visit it:

storm_valentine.png

And decoding JavaScript we see the real link:

> [a href="withlove.exe">

If you click on the heart you’re prompted to download “with_love.exe”. Sample I fetched (I fetched both, they’re basically identical):


MD5: fd5246f37941849b1300643c90638f50
SHA1: aae1f533f0f208a8a2a4770a9d989a1cd3797f46
File type: MS Windows PE
File size: 114689 bytes

Analysis shows it’s a normal storm worm.

Peerlist dropped as C:\WINDOWS\system32\burito.ini
Drops C:\WINDOWS\system32\burito3547-7d31.sys I suspect the digits and the hex values are random, not sure if the “burito” is from a dictionary or static.

Subject lines seen so far:

  • A Toast My Love
  • Your Love Has Opened
  • Sending You My Love

Popularity: 1% [?]

This entry was posted on Tuesday, January 15th, 2008 at 2:50 pm and is filed under Botnets, Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses | Add your own



Comment Post by: JimR — January 17th, 2008 @ 5:07 am EST  Reply

I received this spam today. Subject line was “Surrounded by love”. Same thing, heart web page and link to withlove.exe.

Comment Post by: Maddy — January 17th, 2008 @ 9:13 am EST  Reply

hey…. ma system is affected with this worm… how to remove it…!!! please help…

Comment Post by: Maddy — January 17th, 2008 @ 9:14 am EST  Reply

N also please tell me, how it affects ma system…..

Comment Post by: shirkdog — January 17th, 2008 @ 12:42 pm EST  Reply

Add some more subjects:

When I’m with You
Our Love is Free
When You Fall in Love
A Token of My Love
I Love Thee

and my favorite:

Hugging My Pillow

Comment Post by: Sken — January 21st, 2008 @ 8:05 pm EST  Reply

I received this email from phillip.guerrero@tecksee.com.my Subject A Rose http://202.44.80.163/

It is the same as described above only under a different subject

Comment Post by: shirkdog — January 21st, 2008 @ 10:28 pm EST  Reply

Some more:
Dream of You
I Would Dream
Special Romance
In Your Arms
You’re the One
A Toast my Love
If Loving You
The Dance of Love
A Rose

and now I am at the point where it is meaningless to continue.

Comment Post by: ronald richardson — February 1st, 2008 @ 7:31 pm EST  Reply

received the same

From: cathychouvenc@br.calyon.com Add to Address Book Add Mobile Alert
To:
Subject: In Your Arms
Date: Sat, 2 Feb 2008 00:24:29 +0530

I Love You Soo Much http://200.8.171.179/

Anything that has an exe on the end is not good when it is from someone that u do not know. looked up withlove.exe on google,found out that it was a worm.

Leave a Comment