Another round of Storm spam is now unscrupulously offering video footage of “details of this terrible disaster”, with a link to “beijing.exe”. We are seeing a low percentage of users receiving this payload so far, mostly in Dubai, falling for the message:
“A new powerful disaster just occurred in China. The most deadly, 9 magnitude, earthquake took away million of lives in the heart of China, Beijing. Rapidly growing panic paralyzed life of Chinese capital. 2008 Olympic Games are under the threat of failure. Click on the video to see the details of this terrible disaster and choose either “Open” or “Run”.”
Do not visit the website:
Of course, instead of a link to a video, the code behind the “mov.gif” image of a video object directs the user to download “beijing.exe“, seen as “beijing[1].exe” on TF users’ systems. When run, this executable drops and starts “msvupdater.exe” in the windows directory on the system. The msvupdater component carries with it the familiar P2P code that Storm uses, and attempts to send out email from the system.
Hidden away in the last line of html source is tiny iframe linking to “ind.php”, as seen here:
iframe src=”ind.php” width=”1″ height=”1″ style=”visibility:hidden;position:absolute”
This php file contains quite a bit of obfuscated javascript. After dissecting the script, we find that it is attacking an older NCTAudioFile2 ActiveX vulnerability, the more recent RealPlayer vulnerability, a older BaiduBar Soba vuln, and a couple of ancient setSlice and WebFolderView vulnerabilities. Basically, these guys have a newer commodity attack kit with some new obfuscation features.
