Storm with Love back again!!!
Posted by jeremy on April 4th, 2008
Looks like the Strom Worm authors are at it again, but this time with a repeating theme much like the valentines day theme we saw a few months ago. This time their is no automated downloads, nor is there any Javascript. The page is actually very simple take a look for yourself:
I guess with no major holidays on the horizon and the success rate the Storm Worm authors saw with the "love" theme they decided to revisit it. Here is a snapshot of the current page source:
So as you can see there are now only two binaries being advertised "love.exe" and "withlove.exe". I submitted "withlove.exe" to VirusTotal for analysis and well only 2/32 AntiVirus applications were able to even call the file suspicious. Here is a link to my results: VirusTotal Results. My Storm Worm Binary tracker first caught the change at 13:33 central standard time, so I guess the lack of detection can be expected. I also sacrificed one of my lab machines to see if anything had changed. Looks like the "aromis.exe" and "aromis.config" files are still being stuck into the C:\windows directory, so nothing new there. I was able to obtain a list of 907 IPs in the peer list. Here is a copy of the list: Storm Worm Peer List (Temporarily removed as I think I messed something up here during my analysis). Well as always if you have any questions regarding this posting or anything else feel free to contact me at jeremy [at] sudosecure [dot] net. Have a great weekend!
UPDATE:
Sorry for the confusion with the Peer List. My script that parses the Storm Worm config file had an error in it... OPPS 
Anyways I have since fixed the error and ran it again on a newly infected box in my lab. I only got 710 IPs this time, but hey at least it worked this time. Here is the list I have now: Storm Worm withlove Peer List. I do not guarentee this information as 100% accurate and if your IP is listed and you would like it removed feel free to contact me at jeremy [at] sudosecure [dot] net. I may post the Perl script I use to parse the file at a later date, once I clean it up and make it a little more user freindly... No promises though!