NEWS FROM THE LAB - Monday, March 3, 2008

Storm Reactivating Posted by Mikko @ 07:21 GMT

We haven't seen new Storm sites since the spam run they did over Valentine's Day… until early this morning.

Right now they are sending a wide variety of mails regarding ecards, along these lines:

Check out your ecard.

If you follow the link, you end up with a malicious site that looks like this:


Depending on what you do, you end up with either e-card.exe (clicking the picture), e-card.exe (clicking the link) or postcard.exe (waiting for a few seconds). The files are variable but they always do the same thing: infect your system with the latest Storm/Zhelatin variant.

We detect these as Email-Worm.Win32.Zhelatin.vg.