Happy April Fool's day with Storm worm

Happy April Fool's day from Prevx Research Lab.

For some hours now, we've been monitoring a new variant of the Stormy worm, spreading through e-mails as an April Fool's day e-card.

Same techniques, same distribution, same botnet as before. Why should they change something that's still working like a charm?

These are subjects and e-mail bodies used by the worm:

• All Fools' Day
• Doh! All's Fool.
• Doh! April's Fool.
• Gotcha!
• Gotcha! All Fool!
• Happy All Fools Day!
• Happy All Fools!
• Happy April Fools Day
• Happy April Fool's Day
• Happy April Fools!
• I am a Fool for your Love
• Join the Laugh-A-Lot!
• One who is sportively imposed upon by others on the first day of April
• Surprise!
• Surprise! The joke's on you.
• Today You Can Officially Act Foolish
• Today's Joke!
• Wise Men Have Learned More from Fools...

E-mails contain a link to a webserver, where the user can download the malware named as funny.exe, foolsday.exe, kickme.exe.

After executed, the malware will create aromis.exe file under Windows directory and aromis.config, into the same directory. This last one is the configuration file used by the malware to build up the botnet.

This time the gang behind the Storm worm isn't using any driver to hide the infection, so that it is quite easy to detect and remove.

Prevx 2.0 customers are protected by this infection since the beginning of its spreading, thanks to our behavior analyzer module that proactively intercepted the infection.

History teaches us that we will probably see some code mutation of the malware during the next days.