Storm worm anniversary brings fresh variants

A year after the first Storm worm attack, security companies have warned of more variants being sent out in spam

The anniversary week of the first Storm worm attack has brought warnings of more Storm variants being sent out in spam.

The attacks are using variants of malicious code known as Troj/Dorf-AP by Sophos and Trojan.Peacomm.D by Symantec.

Sophos researchers believe the spam run is an attempt to dupe users into downloading backdoor code, which will then download further malicious code from the internet.

The social-engineering technique attempts to trick users into clicking on a link in a "Valentine's Day" email, according to a Sophos blog post.

"The body of the email contains a link to an IP-address based website, which is actually one of the many compromised PCs in the Storm botnet," said Sophos. "The website displays a large red heart, while installing malware onto the vistors' PC."

Symantec researcher Hon Lau said that a spam run attempting to exploit St Valentine's Day was perhaps premature.

"I don't know about you, but I feel that this campaign has started a little bit too early," wrote Hon in a blog post. "Maybe the Peacomm creators feel that they need a head start this time, since they started a bit late on their Christmas 2007 campaign. After all they don't want to miss the boat when it comes to gathering more bots for their network."

The original Storm worm code, so named because the first spam run coincided with a severe winter storm in Europe, will reach its first anniversary on 19 January.