Storm worm now preys on guilty conscience


Imagine receiving an anonymous email from someone who claims to be a private detective, who proves that he is listening to your phone calls by attaching a tape-recording to the email message. Intrigued enough to click on the attachment? Perhaps, if you have something to hide…

Preying on exactly these fears is latest malware attack, in an outbreak that began this weekend, with email subject lines like: “i’m monitoring you,” “you’re being watched,” “your phone is monitored,” and “the tape of your conversation.”

The messages have an attachment that is a password-protected, compressed file; the malware inside the attachment is unleashed if recipients are concerned enough about their secret phone habits to expand the file with the password provided in the body of the email. Attachment names are numerical variations on “call1105-10.rar.” The compressed file appears to be an mp3 sound file, however if you look closely at it you will see that the file has many empty spaces after the mp3 “ending” and there is a second ending afterwards, which is .scr, an executable favored by malware writers.

One possible mistake by the virus distributors was to use the .rar compression utility, which is much less common than the standard .zip, and unlike zip files cannot be opened by windows machines unless winrar is installed.

Commtouch first identified the outbreak on Saturday, Nov. 17, at 11:01 am UTC time.

BTW – I still don’t have confirmation at this stage that it’s Storm Worm related – but it’s my best guess.

Go back