New Variants of the Storm Worm invade on Valentine’s Day

On Valentine’s day (February 14th) 2009, a massive outbreak of the storm worm flooded the internet with millions of spam emails that contain links to malicious websites which, when visited, will infect a user’s computer with the storm worm. Although the storm worm was first discovered on January 17th, 2007, it has a remarkable long life because the incredible number of variants it has (over 50,000). This time is no different as new variants of the storm worm were released to the wild through malicious web sites.
Following is part of a spam email sent by the storm worm:

Subject: A Valentine card for you!
From: “Neddie”
Date: Sat, February 14, 2009 5:36 am

Neddie wants to show you an electronic greeting card and wrote to you:
“I Just Called To Say I Love You”

It is waiting for you at our card site, go ahead and see it:
http://oehee.valentinesupersite.com/?cardid=a36c434555dc7c289e165ea050
The greeting card will be stored for you for 14 days.

If a user clicks on the link in the email, they will be brought to a web site that either directly downloads the malware onto their computer or prompts the user to download the malware disguised as an electronic valentine’s day card. The file is aptly named “lovekit.exe” or “postcard.exe” so that the user will not become too suspicious. Once running, the malware will make following changes to the Windows’ registry settings so that the malware will be automatically started each time the system is started:

• HKLM\software\Microsoft\Windows\CurrentVersion\Run:promoreg=[location of the malware]
• HKCU\software\Microsoft\Windows\CurrentVersion:MyID

Because the variants are previously unseen, most of the signature-based Anti-Virus products were not able to detect the worm as of Febuary 16th, 2009 –two days after the new variants were released (see Picture 1). This underscores the difficulty traditional signature-based AV vendors have to face:


As we can see, a large majority of the Anti-Virus products were not able to detect this new storm worm variants more than 48 hours after the initial worm was reported in the wild.