The gang behind Storm missed Easter but they were not going to miss two opportunities in a row! We are witnessing a new Storm campaign around the theme of April Fool's day. Electronic mails are being sent with titles like "Happy April Fool's Day.".The body of the message contains a small sentence and a link. The link points to a page that looks like the following screen shot.
The file that is downloaded automatically is called funny.exe. Upon execution, it will copy itself to the Windows folder with the name aromis.exe. ESET Antivirus detects this malicious file as Nuwar.CG. Nuwar also creates a file called aromis.config which contains the peer-to-peer network configuration file. This version contains the coordinates of 271 other peers that are contacted by newly infected hosts to join the botnet.
It is interesting to note that this version of Nuwar doesn't use any rootkit technology and have stopped using kernel mode drivers. These behavior changes are clearly aimed at reducing detection rate by security solutions.
Pierre-Marc Bureau
Researcher