Researchers at CA have linked the latest iteration of the malware “bundled and distributed by Trojan downloader along with Win32/FakeAV or rogue antivirus malware.” The new version of the worm is sending out “massive” amounts of spam e-mail, including spam related to “adult dating,” celebrity news and bogus online pharmacies.
“This Pecoan variant communicates to the spambot server via HTTP POST command; the server then responds with the command and data that is used for its spam e-mail messages,” noted CA Research Engineer Ricardo Robielos III.
The Honeynet Project published an analysis of the code here.
Storm was first detected in 2007 and went on to build one of the Web’s most successful botnets. Storm’s influence waned in 2008, however, after the shutdown of rogue ISP Atrivo (Intercage). In addition, an update to Microsoft’s Windows Malicious Software Removal tool is estimated to have helped clean the malware from nearly 275,000 Windows PCs.
According to CA, the main purpose of the malware — which the company detects as Win32/Pecoan.AG — is to send spam, and it gathers targeted recipients by scanning the system and harvesting target e-mail addresses from files with any of the file extensions listed on this page here.