NEWS FROM THE LAB - Tuesday, August 21, 2007

Zhelatin/Storm changes yet again Posted by Patrik @ 02:45 GMT

A few times over the last week we've posted on how the e-mails used by the Zhelatin/Storm gang have changed, so we weren't too surprised to see them change once again. This time though, they look very different as they talk about "you" having signed up for different services such as MP3 World or Internet Dating.

Storm 08.21.2007

Storm 08.21.2007

Subjects we've seen used in the e-mail messages so far are:

   Cat Lovers
   Dated Confirmation
   Internal Support
   Internal Verification
   Login Info
   Login Information
   Login Verification
   Member Confirm
   Member Details
   Member Registration
   Membership Details
   Membership Support
   New Member Confirmation
   New User Confirmation
   New User Details
   New User Letter
   New User Support
   Poker World
   Registration Confirmation
   Registration Details
   Secure Registration
   Tech Department
   Thank You For Joining
   User Info
   User Verification
   Your Member Info
   Welcome New Member
   Tech Support
   Internet Tech Support

And the senders have been:

   Bartenders guide
   Bartenders Guide
   Dog lovers
   Entertaining pics
   Entertaining pros
   Fun World
   Free ringtones
   Free web tools
   Game Connect
   Internet Dating
   Job search pros
   Mobile Fun
   MP3 world
   Net gambler
   Online hook-up
   Poker world
   Resume Hunters
   Ringtone heaven
   Web cooking
   Web connects
   Wine Lovers

Once someone visits the website the text has changed a bit. Now it talks about that you need a Secure Login Applet to be able to use the service and the link points to applet.exe which is of course the infected file.

Storm 08.21.2007

Similar to previous attacks it also uses exploits in an attempt to automatically infect the user when you view the page – so don't do it.

UPDATE: The spam runs of these e-mail messages continues and we've updated the list of subjects and senders used. Feel free to mail us if you've seen any others that we don't have on the list. Use the e-mail address listed at the top of the page.

Thanks to everyone who has sent us updates on the subjects and senders used.