Today, we are celebrating Halloween and malware authors want to be part of the fun.  They love to disguise and they love zombies even more.  To celebrate Halloween, the operators of the Storm Worm have launched a new e-mail campaign to attract users to their malicious pages and infect their systems with the latest variant of their creation.  E-mails have been sent out to tens of thousands of users with a link to a dancing skeleton application.  If a user clicks on the malicious links, he is presented with a web page similar to the following.

The web page contains malicious javascript that tries to exploit security flaws in web browsers.  The exploits are delivered through obfuscated javascript and differ in function of the client's browser.  Successful exploitation will download and run a file called halloween.exe.  If the victim is not running a vulnerable Internet browser and clicks on the download link, he will be presented with the same halloween.exe file.  The Storm's authors are also using their javascript to pass on their greetings to antivirus companies.  The obfuscation routine contains insults to a well-known Russian antivirus company.

Our antivirus detects the file called halloween.exe as Win32/Nuwar.Gen worm, meaning that we have a generic signature to detect its variants.  Even if this type of attack is detected and blocked by your security software, we strongly recommend never opening e-mails or following web links that were not solicited or that are coming from an untrusted source.

Pierre-Marc Bureau
Researcher