Looks like the authors of the Storm Worm spamming bot have moved on from Canadian Pharmaceuticals to giving financial advice. While running the Storm Worm in my lab and allowing it to beat up my fake SMTP server I captured 2,379 spam messages. Of these there were only 130 unique subject lines, which can be seen here: subjects. As you can see all of the subjects pertain to motivating someone to go out and buy penny stocks. Various misspelled messages were seen such as this one:

d_ n't w e preidct it?

Busienss Name: Ans-gtrom Microsytsems
Ticker: agms.ob
Outlook: Storng Purchase
Marekt prcie: .4 00
Shaers- traded: 331,485-

Now that- the news it o'ut, vol.um e is thorugh __the roof.

Mroe events will un'fo"l d , clien'ts are seeing the need for these
prodcuts A GMS. can be your ticket.,

The window" is still open,' obtain this stock early Te'u sday.

This definitely is not the Storm Worm Authors most professional looking work, and is actually very sloppy compared to past spam campaigns. Here is a copy of my full log: smtp log

Another oddity in this move for pushing penny stocks, is the company being represented in these spam messages does not appear to be willing participants in the spam campaign. Searching Google, I found several references to these spam messages and actually found this particular article interesting: marketwatch.com article. Angstrom Microsystems appears to be searching out the people and/or organization behind these spam messages, so I have sent them an email describing my findings and wish them the best of luck with doing what many others would like to do and catch the Storm Worm Authors. Maybe with the help of the US Securities and Exchange Commission they will grow closer to being able to prosecute at least someone from the Russian Business Network. I wouldn't get my hopes up though.

The binary I used in my testing was the "loveyou.exe" binary being hosted by numerous Storm Web Servers. Once ran it creates another binary named "msoupdater.exe" in the "%WinDir%" along with a list of peers of other storm worm bots titled "msoupdater.config". Some good news about this version of the Storm Worm is it is being detected by Antivirus software fairly well. VirusTotal Results: loveyou.exe and msoupdater.exe. Here are the 903 peers I extracted from the msoupdater.config file: peers.txt.

On another note, sorry for my lack of posting lately as I have been on vacation and enjoying summer. As always if you have any questions or comments feel free contact me.