Warning – Valentine’s Day Storm Worm – Real Virus

5 Feb

Virus: “Valentine’s Day” Storm Worm

Status: Real

Example: [Collected via email January 2008]

PLEASE READ – Malicious Email

If you receive an email with any of the following subject lines please delete the email immediately (I recommend doing this with your home email as well). These emails contain a link or attachment, that when clicked could infect your computer with a Trojan Horse. Our spam filter is having trouble blocking the email because the emails are generated by computers that are already infected with the worm, meaning there are thousands of sources that this email is coming from. The spam filter has been able to block some but not all of the incoming messages.

The emails are easy to identify by Subject Line and the body. The body contains a short message and a link that uses an IP address rather than the domain. Example:

This Trojan has been around for a little over a year now and reemerges during a holiday, in this case Valentine’s Day. Until now we haven’t seen too much activity, but today we are seeing increased activity.

  • A Dream is a Wish
  • A Is For Attitude
  • A Kiss So Gentle
  • A Rose
  • A Rose for My Love
  • A Toast My Love
  • Come Dance with Me
  • Come Relax with Me
  • Dream of You
  • Eternal Love
  • Eternity of Your Love
  • Falling In Love with You
  • For You….My Love
  • Heavenly Love
  • Hugging My Pillow
  • I Love You Because
  • I Love You Soo Much
  • I Love You with All I Am
  • I Would Dream
  • If Loving You
  • In Your Arms
  • Inside My Heart
  • Love Remains
  • Memories of You|A Token of My Love
  • Miracle of Love
  • Our Love is Free
  • Our Love Nest
  • Our Love Will Last
  • Pages from My Heart
  • Path We Share
  • Sending You All My Love
  • Sending You My Love
  • Sent with Love
  • Special Romance
  • Surrounded by Love
  • The Dance of Love
  • The Mood for Love
  • The Time for Love
  • When Love Comes Knocking
  • When You Fall in Love
  • Why I Love You
  • Words in my Heart
  • Wrapped in Your Arms
  • You… In My Dreams
  • Your Friend and Lover
  • Your Love Has Opened
  • You’re my Dream

The “Storm Worm” (so named because the spam e-mail messages that carried it commonly bore the subject line “230 dead as storm batters Europe”) debuted in January 2007, and it has reappeared many times since then with topically-adjusted lures & subject lines that reference current events or upcoming holidays.

In January 2008, Storm Worm lures began appearing in the form of e-mails bearing Valentine’s Day-related subjects and containing IP address-based hyperlinks. Clicking on the link in one of these messages takes the recipient to a web page that displays a heart and triggers the download of a Trojan horse onto the user’s computer. (The worm affects most Windows-based platforms: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP.)

The underlying worm is the same one that has appeared in messages with subject lines as “You’ve received an e-card from an admirer,” the Laughing Kitty,” the “Dancing Skeleton,” as well as several game and music download offers. According to spamtrackers.eu:

The storm network is large enough to cut off internet access from any institution its operators choose to attack via a “distributed denial of service attack,” in which hundreds or thousands of computers request files from a server simultaneously. The entire country of Estonia was brought down that way last year. The network is actually available for rent for anyone who wishes to use it to send spam, host illegal websites, or stage denial of service attacks.

Storm is a serious threat for several reasons. It communicates “peer-to-peer” instead of via a “command and control” network. For that reason, you can’t just disable a few computers that are feeding instructions to the others. The virus download is encrypted, so it is difficult for antivirus programs to recognize, and infected computers are updated by the peer network on a daily basis to keep antivirus programs from recognizing it once they are updated to recognize previous editions of the virus. The number of infections worldwide is massive, and a quarter of them are on major networks in the US like SBC, Comcast, and Roadrunner. That means that a bank or other business under denial of service attack can’t simply block all traffic from certain segments of the internet, because it would be blocking its own users that are sharing those same internet addresses with storm infected computers as they log in and out of the internet. It is believed that Storm’s operators are located in St. Petersburg, Russia, are known to the Russian government, and enjoy its protection.

Since antivirus programs will not protect your computer, the most important thing is for people to be extremely suspicious about where they go and what they click on. Never click on any link in an email from someone you don’t know. Never click on a link in an advertisement on the internet — if you want to visit that site, look up the address yourself.

This version of the Storm Worm should not be confused with the “Be My Valentine” hoax virus warning from 2000.


%d bloggers like this: