After a hiatus, the gang behind the Storm worm is attempting to exploit people's curiosity about a fictional love interest to tempt users into downloading the malware, according to security training organisation the Sans Institute.
Donald Smith, a security expert from the Sans Institute, warned on Tuesday that a Storm worm download site had been detected by security researcher "DavidF". A link that contained the site's IP address was being spammed out in emails, wrote Smith in a blog post.
He noted that spam is being sent with the message: "'Crazy in love with you' hxxp://22.214.171.124". Smith wrote: "I checked that site and could only find an index.html, lr.gif and loveyou.exe."
Smith said that index.html encourages visitors to run the "loveyou" executable by asking: "Who is loving you? Do you want to know? Just click here and choose either 'open' or 'run'." Loveyou.exe is a version of the Storm worm, also known as Trojan.Peacomm.D by Symantec and Troj/Dorf-AP by Sophos. Smith recommended IT professionals block the IP address until it gets "cleaned up".
The unknown gang behind the Storm botnet tried a similar technique in January in the run up to Valentine's Day. At the time, Sophos warned that the gang was using a social-engineering technique in an attempt to trick users into clicking on a link in a "Valentine's Day" email.
Storm worm attacks then dropped off, leading some security vendors to report that the influence of Storm worm was waning. However, in May, Symantec researchers warned they had identified a number of nascent Storm worm hosting domains using fast-flux techniques to mask their URLs.
The original Storm worm code, which appeared on 19 January, 2007, derived its name from the fact that the first spam linking to the malware coincided with a severe winter storm in Europe.