New Amero Storm Wave (July 22, 2008)

July 22, 2008

New spammed wave of Storm emails was discovered on July 21, 2008. Storm worm authors have changed their social engineering theme in this new wave and the e-mail arrives with following subjects:

• Amero - the secret currency
• Amero arrives
• Amero currency Union is now the reality
• Amero is not a myth
• AMERO to replace Dollar
• Bye bye dollar, hello amero
• Collapse of the Dollar
• Death of the U.S. Dollar
• Dollar is replacing by Amero
• Dollar is replacing by new currency
• Fall of the Dollar, beginning of AMERO
• No dollars anymore
• North American Union is the reality now
• One Currency for Canada, U.S and Mexico - The Amero
• Say Goodbye to the Dollar
• The Amero is here
• The Dollar disappeared
• The new currency is coming
• Welcome the Amero
• You can forget about Dollars

They have also reverted back to their old format of using IP addresses instead of fast-flux domains in the URL spammed via e-mail. The spammed e-mail looks like below:

The user will see the following page when he or she clicks on the link in the e-mail:

North American Currency Union does not exist and the new Storm social engineering campaign may be using it because of the recent economic slowdown. The webpage also contains a hidden iframe to a script named ind.php which contains drive-by exploits. SonicWALL blocks this script file with GAV: PackTibs.O (Trojan) signature. This signature has triggered 2,794 times since it was created on June 22, 2008.

If the user clicks on the icon on the page, it will prompt to download amero.exe file which is the new variant of Storm worm.

It also drops the following files on the system:

 C:WINDOWSglok+serv.config C:WINDOWSglok+40bc-761f.sys 

It also creates a new service for the glok+40bc-761f.sys and starts it.

SonicWALL detects this new variant with GAV: Zhelatin.ZI (Worm) signature.