The spam email started out distributing the worm in attachments to the email, and later changed to delivering it from web sites linked in the spam. Symantec: New Storm Front Moving In tells us that the typical email would contain a link to a "secure" web site, and the linked web site would contain the instruction
If you do not see the Secure Login Window, please install our Secure Login Applet.
Now, it is being distributed through Blogger, from blogs marketed to those surfing the Blogosphere through the "Next Blog" link.
It can be seen in a Blog*Spot splog farm, with blogs using intriguing titles like "Dying To Live", "Katrina Thanks", and "Rocking Consumption", and posts with titles like "this video rocks" and "not yet seen on MTV". The blog posts then link to a web site which will instruct you to download and execute "video.exe".
Alex Eckelberry of Sunbelt Software says
This worm is vicious and nasty, and the spams are quite ubiquitous.and offers a blog post illustrating a typical Blog*Spot infection. Symantec Software describes the email problem as
one of the largest identified surges in the last several months.
This YouTube video by F-Secure is kind of dry, but it should give you an idea what a problem this attack is becoming.
>> (Note): If you go "Next Blog" surfing, watch out for posts like what's illustrated in SunbeltBlog: Storm worm hits Blogger. Any blog, that you encounter through "Next Blog", suggesting a new video that requires you to download and execute any installation program, should be immediately suspect. Ditto any similar email.
We are currently trying to determine the exact nature of the blog posts offering the worm, and whether they are
- New blogs, created specifically for the purpose of distributing the worm, by the bad guys,
- Existing blogs, hijacked by the bad guys, stolen from the legit owner,
- Existing blogs, with posts added by the worm, from a hacked computer used by the legit blog owner.
Also worth asking is the question
Is the worm spreading through Blogger, or Blog*Spot? Remember, Blogger is not the same as Blog*Spot.
As Avert Labs advises
McAfee Avert Labs expects the spammers to continue using these types of tactics and it will be imperative that users are educated on how to avoid becoming a victim.So become educated, as that is the best way to protect yourself.
>> Forum thread links: bX-*00065
>> Copy this tag: bX-*00065