Beware of spammed emails with subjects like 'In Your Arms'
With Valentine's Day a full month away, the Storm BotNet is becoming active again, after a very brief nap. In what appears to be an early head start on a run of infected Valentine's Day greetings, tonight I received a message with the subject "In Your Arms," with but one line of body text, consisting of this:
I Love You Because http://68.52.93.---/
where the dashes represent numbers I removed, that are the IP address of a Comcast Cable Internet customer, who is unknowingly hosting the Storm Trojan on his or her computer. The spam was sent by another Storm Trojan infected computer, in Brazil. Both of these computers are in far-removed countries, yet they are zombie members of the same Storm BotNet, with a membership estimated to be in the hundreds of thousands, if not millions.
If you get a spam message similar to this one delete it immediately. Do not become curious George and click on the link. The World already has too many Storm Trojan infected computers. Instead of finding a message of love, behind the big heart graphic on the host machine, you will find that you have been deceived by criminals, in the Baltic regions, who do not love you at all, and do not have your best interests in their hearts. You will have downloaded a file named "with_love.exe" (or a variation thereof), which is the Storm Trojan itself. Storm Trojan computers are used for illegal activities, like spamming, scamming, hosting Trojan files and phishing/identity theft web pages and for launching denial of service attacks. That is the love that awaits victims of these scams.
All of the victims clicked on links sent from other infected computers which were programmed to send spam messages, with those links (mostly numeric, but not always). All of the infections occurred when, after clicking on the spammed links, they arrived at the web page with the Trojan file, where they were either infected by a JavaScript activated stealth download, or by clicking on a visible download link. And, in case you were wondering how anybody could be so stupid, they clicked on the visible links like they were going out of style! Why? Because they were already duped into thinking that a greeting card, or love letter awaited them and if they had to click again to actually see it, what harm could that be? Unless those computers were being run with limited user privileges, they were instantly infected, and became members of the ever-growing legions of the Storm BotNet. Within hours or days their computers were also sending out thousands of similar spam email messages and were being used to host the same web page, with the same infection routines.
Are you already infected with the Storm Trojan? There are several ways to find out. One is to read my blog article about detecting a Storm Trojan infection, which I wrote on December 28, 2007.
If you have anti-virus and anti-spyware programs on your PC, update them to the latest versions and definitions, then reboot into Windows Safe Mode, login as the Administrator, then runs scans with everything you've got. Be sure you disable System Restore if any major malware items are found, then disinfect, or you will become re-infected when you reboot.
If you don't have any security protection installed, or what you do have is outdated, you can run a free, reliable online spyware and virus scan with the Kaspersky Online Scanner. Kaspersky Labs produce some of the best anti-virus and anti-spyware programs in the world. They aren't free, but they are reasonable, for the large amount of daily updates registered owners receive and the accuracy of their detections. Using their free online scanner requires that you first download the complete detection database (takes a while), before choosing a system area to scan. Subsequent visits to the service only require small updates to the database, which happen much faster.
I was scanning with the Kaspersky Online Scanner in Internet Explorer, as I typed this in Firefox, and it didn't put any additional load on my system. The scan was quite thorough. The scanning sequence I chose and recommend is this: 1st test; memory. 2nd test; critical system areas, and 3rd test, email databases. If you want to scan selected files or folders there are links to choose the ones you want. There is also a link to scan your entire computer, which will probably take a long time, so only use this if you aren't in any hurry for the results (overnight?).
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.