New e-card scam?

Today I received two mails which looks like the e-card-scam (Storm).
Both e-mails came from the IP (219.65.86.56), which is located in India.
They where send from two different domains: [name]@navigant.in and [name]@bbyonre.org

The first mail has the subject "I am complete" and the message contains only one line:

The second mail has the subject "In your arms"
Message:

(The original message contains 'http' instead of 'hxxp')

Because I was very curious I clicked both links (in VME/Sandboxie) and I expected that I should be prompted to download an "e-card" (Zhelatin, Nuwar, Peacomm, etc).
But both links are dead.

Does anybody here know more about this scam/spam?
Could it be an attempt to drop malware? Or is it just 'regular' spam?

Thanks in advance.

 

I've been getting a bunch of these as well.
Fortunately, my spam filter is identifying them and putting them in the appropriate folder.
The IP link takes you to a site where you're prompted to DL "withlove.exe".
(Isn't that sweet?)
Although I didn't bother to DL it and submit (out of curiosity) to Jotti, I found references to "withlove.exe" as containing Stormy or I-Worm/Nuwar.L

http://www.prevx.com/filenames/1664974208280366732-0/WITHLOVE.EXE.html
http://free.grisoft.com/doc/6/us/frt/0

 

Thanks for posting this, Bob D.

The spam/scam you mentioned is refered to a website where you're prompted to download the Peed/Nuwar/Peacomm etc or other Storm-trojan variants.
In my case the link was dead.

Unfortunately for me. I was expecting (or hoping) to find a new variant.
I know this sounds strange, but since christmas last year I investigate almost everything that has to do with the Storm-trojan.
Since I published a summary of the first analysis-results I receive several requests for further analysis. At the moment I'm working on this.

Can you please give me the URL where the link takes you and where you're prompted to DL an e-card. (in case it is a 'new' one)
I don't know if it is allowed to post malicious URLs in this forum, but the PM works fine here

Thanks,

Chato

 

I'll give the mods / admins time to comment on posting.
Otherwise, I'll PM you.
I only have maybe two left that I haven't deleted, but I'll save them for u.

cheers

 

We very much would appreciate that route so as not to violate our terms of service as it relates to "malicious URLs".

Thanks,
Bubba

 

Thanks for your reply, Bubba.
I already received the URLs from Bob by PM.

But still my question is not answered.

Did I receive an e-mail with an attempt to download a variant of Storm? Did anybody else receive a similar e-mail the last days? Why does somebody/something send me an e-mail with the 'request' to visit a webpage which is not online? Or has it nothing to do with Storm?

Any comment, recommendation, etc is welcome!

regards,

Chato

 

The technique of fast flux pretty much insures that the domains and binaries change quickly. In the second diary below, the updates note these changes.

http://isc.sans.org/diary.html?storyid=3778

http://isc.sans.org/diary.html?storyid=3784

http://isc.sans.org/diary.html?storyid=3855

Because my ISP effectively blocks these ecards, I'm limited to what comes through on my yahoo account.

Part of the "problem" if you will, also is fast response time to take down these sites -- only once this month has any URL worked.


----
rich

 

I just received a live URL at my Yahoo acct. (check your PM). I downloaded one, and again after about 15 minutes -- As noted in the above diary, the binary changes after about 15 minutes. A check of both files at VirusTotal yielded no results from any AV.

Of course, this particular e-card exploit should be a no-threat, since it's a social-engineered attack.

Also, e-cards are not executable files.

And, it's not a remote code executed exploit, rather, the user has to click to download/install.

EDIT: regarding the VirusTotal results, note this comment from sans.org (3rd link above):

Best protection, of course, is for the user not to execute it. And the user should not, because in this particular case, she/he would break at least two rules that should be followed,

1) Not to pay attention to an email from an unknown source

2) Not to click on an unknown link

----
rich

 

Thanks to Rmus and Bob D
Now I'm sure that this is the latest Storm-variant.
One of the links in the received scam e-mails is active now.
(Screenshot)

After download I submitted it to Virustotal.
Some results:
AVG I-Worm/Nuwar.L
BitDefender Trojan.Peed.ITU
F-Prot: W32/Zhelatin.D.gen!Eldorado
Kaspersky Email-Worm.Win32.Zhelatin.tr

The malware wasn't detected by Symantec, Nod32, Mcafee, Avast and some others.
All the VT-results you can find here ~Screenshot link removed per Policy....Bubba~


Now it's time for the next analysis

Thanks for all your help and PM's.

Regards

 

Curious, in that 'withlove.exe' was first seen on Jan 16.
Is this malware morphing into variants or are some top-shelf AVs missing something?

 

Most ITW variants of Nuwar/Zhelatin have next to zero detection by file scanners. Signatures are too slow and heuristics are bypassed by server-side polymorphism and the custom packers.
The next time you see a Nuwar sample in someone's inbox, think that the AVs in those mail servers were blind at that time.