With Valentine’s day approaching, the group continues to spam out links to a new set of sites with some new themes and filenames to watch for, like “reader.exe” and “run.exe”. The pages do not yet seem to carry redirects to pages hosting exploits. Instead, the text directs the user to “Click here to view your card.” Do not download and run these executables. Instead, please click on this post’s Waledac blog label below for previous posts about the ongoing threat.

And another…

Messages related to the image above include subjects like “A Valentine E-Card from ” and text like…
has sent you a Valentine’s Day greeting card and wrote this to you:
“Heaven is not heaven without U”
Just click on the following link to see your E-card:
hxxp://yolk .fun loveonline .com/?cardnum=
For your convenience, the greeting card will be available for the next 30 days.”
Do not click on the link or download the malware at that link.

Messages wishing you a “Happy Valentines Day!” contain text like

Flora just mailed an electronic Valentine greeting card and wrote this to you:
“love u so much dear..”

To view this page please click here:
hxxp:// ii. cherishpoems.com/?code=rand_num
You can see your card at any time within 30 days.”

Leading to teddy bear malware:

In one of their more complicated themes, the Waledac team is following up on a previous blast, spamming out links to a few new malicious websites, each one using a strange “Valentine Devkit” theme. Clicking on an image on one of these pages results in a download of various names: loveprogramm.exe, ecard.exe, postcard.exe, lovekit.exe, mylove.exe, runme.exe, loveexe.exe… The files themselves are effectively obfuscated, with very low (non-existent) AV scanner detection at the current time. The site suggests that a “nicely designed Valentines Card for your sweetheart” can be created with their “Valentine Devkit”.

The web pages seem unusual for the group in one respect, they do not provide the “google-analytics.js” javascript link that was present on previous campaigns. That means the team is not delivering the commodity client side exploits (drive-by exploits) to distribute their malware just yet. Instead, they are relying on the gullibility of users to download and install the malware files on their own. ThreatFire currently is preventing the malware in our community in low volume.

There seem to be some legitimate development kits of this sort: on another web site, instructions that may be getting confused and mimicked with the Waledac gang’s devkit explain how to use another “devkit” to create a Flash ecard in time for Valentine’s Day. Other searches for Valentine’s Day Dev Kits produce kits to be run on other operating systems.

We’ll share some additional research notes on the malware’s functionality and its obfuscation, be sure to check in later.