Stormworms spammy love notes

Published: 2008-02-12
Last Updated: 2008-02-13 18:59:43 UTC
by donald smith (Version: 5)
0 comment(s)

We received several reports of spam containing  Subject lines such as: “Sweetest Things Aren’t Things!, Valentine’s Day, The Love Train” and other similar subject lines. These all included a URL that just an IP Address. Those URLs lead to binaries named valentine.exe. The MD5 on the binaries is  changing rapidly so AV detection based on MD5 or other hash values is not reliable.

We submitted one version to virustotal. 12/31 of the av engines there recognized it. Valentine.exe is a new version of storm worm. Thanks to contributors Doug, Colin, Susan.

Update: The URLs are now being hosted on fast flux style hosting. Domains seen so far include and  Subject lines now also include "I Love You, Rockin' Valentine, You Stay in My Heart, My Heart For You, A hearty WIsh, and Thinking of U All Day". I am sure we will see other subject lines.


Jose Nazario of Arbornetworks has some additional about this at:

File valentine.exe received on 02.12.2008 17:28:57 (CET)

Antivirus Version Last Update Result
AntiVir 2008.02.12 Worm/Zhelatin.pb
BitDefender 7.2 2008.02.12 Trojan.Peed.IWX
DrWeb 2008.02.12 Trojan.Packed.357
eSafe 2008.02.11 Suspicious File
Kaspersky 2008.02.12 Packed.Win32.Tibs.ic
Microsoft 1.3204 2008.02.12 TrojanDropper:Win32/Nuwar.gen!B
NOD32v2 2868 2008.02.12 probably a variant of Win32/Nuwar.Gen
Prevx1 V2 2008.02.12 Stormy:All Strains-All Variants
Sophos 4.26.0 2008.02.12 W32/Dorf-AW
Symantec 10 2008.02.12 Trojan.Peacomm
VirusBuster 4.3.26:9 2008.02.12 Trojan.DR.Tibs.Gen!Pac.142
Webwasher-Gateway 6.6.2 2008.02.12 Worm.Zhelatin.pb

Additional information:

File size 119296 bytes
MD5 4e6951fffca1e210e4b9bb24e708b74f
SHA1 a7a8a9796146cd77c287a8d82958ff5456fa8d24
PEiD MinGW GCC 3.x
Prevx info
0 comment(s)


Diary Archives