iAntiVirus Blog

New update

2008-07-10T06:44:00.000-07:00

Hi everyone, there is a new database available so please run Smart Update if you haven't already.

This update includes two new detections (Trojan-PSW.OSX.Corpref.A and Exploit.OSX.ARDAgent) plus a variant of an existing threat.

Thanks for the feedback

2008-07-01T18:22:00.001-07:00

Hi everyone, just a quick note to thank you for the feedback you've been giving on the iAntiVirus forum!

Your comments are appreciated and we've taken some of your suggestions on board for the next build of iAntiVirus beta.

Stay tuned and keep the comments coming, updates will be announced here soon.

iAntiVirus in the press

2008-06-30T18:59:00.000-07:00

Hi everyone, iAntiVirus has been picked up by various news sources :)

Macworld, TechNewsWorld, bMighty.com, NetworkWorld.com, BetaNews

iAntiVirus public beta 2

2008-06-26T19:37:00.000-07:00

Hi everyone, we've recently released iAntiVirus beta 2!

Changes in this version:
1. Addresses a scan issue reported by 2 of our external beta testers.
2. Installer includes the latest virus definitions

You can update by downloading and installing the package from www.iantivirus.com, or by simply running Smart Update if you are already an iAntiVirus user:

1. Click the Smart Update icon on the top right of the iAntiVirus main window.
2. Click "Upgrade now" at the upgrade available prompt:

3. Wait for the upgrade to be downloaded:

4. Enter your password when prompted:

5. iAntiVirus will restart and you will be running the latest version currently available :)

Requesting comments

2008-06-24T20:35:00.000-07:00

The iAntiVirus beta was released recently and we are looking forward to everyone's comments!

Please leave any feedback you may have on the forum.

If you haven't already done so, download iAntiVirus v1.0b from the iAntiVirus website.

Tell us what you like, dislike and also what you would like to see in future versions!

Thanks

iAntiVirus update

2008-06-23T23:32:00.000-07:00

Hi everyone,

The iAntiVirus database has been updated to include a trojan which has been seen in the wild exploiting the Apple Remote Desktop vulnerability.

Please be sure to run Smart Update and get the latest protection!

Apple Guide In Securing Mac OS X

2008-06-16T21:00:00.000-07:00

Apple has released a comprehensive security configuration guide for users of Mac OS X v10.5 and later. [Download here]

The document is in PDF format and it contains more than 200 pages of detailed instructions and recommendations for Mac OS X "advance" users.

While most Mac users are complacent in securing their computer against online or digital threats, this intensive document under Advance Security Management advises Mac OS X users to install Antivirus Tools and Intrusion Detection Systems.

Definitely, Apple acknowledges the importance of hardening computers and in today's prevalent threats such as Zlob's DNSChanger for Mac, it is no doubt that these internet security tools will certainly help users in keeping their computer safe.

This is Methusela Cebrian Ferrer and I'm now signing off.

Stay Safe Online!

Critical: Mac OS X 10.5.3 and Security Update 2008-003

2008-06-01T17:32:00.000-07:00

Apple released its third security update for this year where it fixes 40 security vulnerabilities found in different components of Mac OS X operating system.

It was just two months ago when Apple released its gigantic update fixing over 90 vulnerabilities. That security fixes is still unbeatable compare to this month update.

Security Update 2008-03 addresses 16 critical vulnerabilities which may lead to arbitrary code execution.

This latest update affects the following:

AFP Server
Apache
Apple Pixlet Video
ATS
CFNetwork
CoreFoundation
CoreGraphics
CoreTypes
CUPS
Flash Player Plug-in
Help Viewer
iCal
International Components for Unicode
Image Capture
Image Capture
ImageIO
Kernel
LoginWindow
Mail
ruby
Single Sign-On
Wiki Server

Mac users can manually download the patch from Apple Downloads.

iAntiVirus Beta Release Coming Soon

2008-05-25T20:11:00.000-07:00

PC Tools will soon release iAntiVirus Beta version. This scanner has a powerful features that catches and removes known malwares in real-time. It also detects new threats in Mac OS X including keyloggers and hacktools.

With today's emerging threats, this product will definitely ensure your Mac remains safe and virus free.

Identity Theft And Your MSN Account

2008-05-11T20:59:00.000-07:00

There are more MSN fraudsters roaming around and this time they are serving twenty different languages.

Last February, I posted this topic "Your MSN Account Has Been 0WN3D".

These are phising sites that employs social engineering technique to lure MSN users in giving out their email address and password.

As an effect, the MSN stolen identity can remotely perform instant messaging and email spamming to all contacts as well as it can sneak your personal messages.

As of the moment, the following IP addresses and domain names are actively serving these MSN phising sites.

Be careful and stay away from these sites!

Fake YouTube Installs OS X TrojanDNSChanger

2008-04-30T22:17:00.000-07:00

".. I clicked on a normal-looking link to a BlogSpot blog. Instead of taking me to the blog it took me to a website that looks 100% identical to a YouTube page. Where a video would normally start playing it instead said "Video ActiveX Error" and a DMG entitled "1234" that was approximately 750kb automatically downloaded to my computer."

Question: How did you get that link ?

Answer: I found it on the wall of a Facebook group. [Read MacRumors Forum]

~~ooOOoo~~

TrojanDNSChanger for Mac is getting in the wild and it is desperately trying to get into users by using channels with wide or massive audience such as social networks.

This incident has been around for a week where a malicious link will redirect users to a Fake YouTube website and without user intervention it automatically download a DMG file, which is the Trojan DNSChanger for Mac.

**Take Note: The installer filename changes everyday.

The installer name usually displays: "MacVideo" or "Porn4Mac".

Although this trojan requires manual installation, it is still possible that some Mac users will get hooked to this trick.

Always be on the look-out for this type of dodgy websites.

Zero Day Exploit: Safari Address Bar URL Spoofing

2008-04-27T19:25:00.000-07:00

There is a zero day threat to all Safari users both in Windows and Mac, where a remote attacker can hide the actual URL address of the web page in the browser location bar. Let's see how this works ...

Since URL and web page spoofing is very common to phishing, I created this sample email with crafted URL on it.

I clicked the link and here's what I got in Safari 3.1 for Windows.

Here's the screenshot in Mac.

So, what happened here?

A security flaw was found in Safari, when you input a URL containing a special characters followed by "@" which indicates the actual hostname. The special characters was crafted long enough to hide the URL of the page.

As most of Safari users experience the spinning wheel of death, it is evident that there are multiple vulnerabilities that lies within this application.

Is there available security patch/fix ? None, at the moment. So, please refrain from clicking or browsing untrusted websites.

Juan Pablo Lopez Yacubian has recently discovered this vulnerability.

Apple Fixed The Piggybacking Issue In SU

2008-04-20T20:36:00.000-07:00

Couple of weeks ago, I blogged about this "Safari 3.1 Piggybacks In Sofware Update".

There was a series of reaction specifically those who understands information security, criticizing about Safari 3.1 piggybacking or stealth installation through Software Update.

Now, the interesting news is that Apple fixed this issue in Windows Apple Software Update version 2.1 [READ ZDNet]. I reckon earlier last week, the software update tool still includes Safari 3.1 in the list. However today, this is what i found out.

To manually update, click "Apple Software Update" from Windows Program menu.

Notice "Apple Software Update for Windows", this is an update to get the latest SU version 2.1.

Let's install and check it ...

Here's the new look. Apple fixed the issue by creating two sections: (1) Updates (2) New Software. It simply shows that Safari 3.1 is no longer piggybacking in software updates since it has its own category as New Software. Good!

But wait, how come the tick boxes were already filled-in by default?

Perhaps, this update is a complete conformity to information security if they also changed this default behavior to "NO".

Speaking of default behavior, the latest changes in RapidLibrary requires users to install Zango to access a free content but here's the catch... Click "OK" to cancel and "Cancel" to continue.

Funny, this is Psychology of Security [Reference: Bruce Schneier].

Q1 Mac Threats RoundUp

2008-04-15T21:03:00.000-07:00

The first quarter of this year has gone so fast but for Mac threats everything just started. Let's take a review on Q1 notable threats, the overall perspective on malware categories and OS X reported vulnerabilities and fixes.

Q1 Notable Threats

Trojan.OSX.DNSChanger

Description: This is a malicious Trojan that uses social engineering technique to entice users to manually install the program. It arrives to users as a disguised video codec and associates itself with shared and downloadable videos. During installation, this Trojan modifies users’ DNS IP address to point to its own malicious servers. Infected user will suddenly experience unusual results in its entire web browsing activity.

This trojan is currently seen in-the-wild.

RogueAntiSpyware.OSX.MacSweeper

Description: MacSweeper is a rogue application which uses deceptive sales and marketing techniques to get onto the users’ system. It usually arrives to users as an pop-up advertisements, where it redirect users to download the file.

This is the first rogue application for Mac OS X.

RogueAntiSpyware.OSX.Imunizator

Description: Imunizator is a re-branded version of MacSweeper. It is an exact copy of MacSweeper except for its new name.

Application.OSX.LogKext

Description: LogKext is a free and powerful kernel base Keylogger in Mac OS X. This keylogger has a full stealth capabilities and it is controlled by a command-line client called logKextClient. A new version was recently released in public.

Percentage per Malware Categories

OS X Vulnerabilities

How To Download DNSChanger DMG In Windows?

2008-04-06T01:33:00.000-07:00

Last December 27, I blogged about Trojan DNSChanger entitled "Mac OS X: 2007 Year Ender for Zlob", which I mentioned the following:

Zlob & Fake Codec History
List of Zlob distribution domains
Trojan DNSChanger checks whether the user is downloading in Windows or Mac.
Network Information that leads to Russian Business Network(RBN)

January 2, when I wrote a follow-up article entitled "Impersonating Mac Browser". This article explains how Trojan DNSChanger serves the right executable to the requesting user and how to impersonate Mac browser to download the right DMG file.

January 10, when I posted "Analysis of OSX Trojan DNS Changer".

Why I am discussing this again?

Because, there is an increase prevalence of this threat that captures more attention of malware analysts. Just recently, I received an email that says "New DNS Changer" with an attachment "jetcodec1000.dmg". But, unfortunately the DMG file was not properly downloaded, instead the file contains MZ header which means Windows executable.

Unfortunately, it was the same story posted in ISC Diary "When is a DMG file not a DMG file".

So, how to download DNSChanger DMG file in Windows?

When you visit any of Trojan DNSChanger websites, your browser sends a User-Agent information to the server, which contain details about your operating system, web browser you use, application version and language preference. Base from this information, the malicious server decides whether to serve PE file for Windows or DMG file for Mac.

This means that you cannot download the right file by simply modifying the URL. In this case, you need to impersonate by changing your User-Agent info to this value:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us)

To perform this task, you can either use Wget for Windows or Malzilla.

Using Wget

Example,

[c:\] wget -U "Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-us)" http://jetcodec.com/download/jetcodec1000.dmg 

**Note: -U means user-agent

This site (jetcodec.com) is not available today. But there's another site that is up today and I can show you how this works.

Using Malzilla

I just created a YouTube account and started to upload demo videos, hopefully this week I can upload a video for this one.

Safari 3.1 Piggybacks In Sofware Update

2008-04-02T16:41:00.000-07:00

"Piggybacking is a method used to gain unauthorized access to the computer. This occurs when an authorize application allows another non-related or unauthorized application to pass through or get into user's system."

Couple of weeks ago while I was working in my infect machine, I got this alert message from Apple Software Update. I was a little bit busy so I just minimize the window. Last monday, I had the chance to check and read what it says. Surprisingly, I found Safari 3.1 in the list which I know I haven't installed any of its version. So, what's happening here ?

As shown in the figure above, the QuickTime program I installed checks for updates. Then, the server replied with the update information. However, it doesn't end there, the server exploited the communication to perform an unauthorized task, which is to offer Safari 3.1 installer.

This is completely unacceptable behavior and a breach to information security.

March OSX News Makers

2008-04-01T21:57:00.000-07:00

March 18 - Apple Released Its Gigantic Update.

Security Update 2008-002 fixes 95 security vulnerabilities found in different components of Mac OS X operating system.
Safari 3.1 fixes 13 security vulnerabilities found in Safari for Mac (10) and Windows (3).

March 20 - "iMunizator" The 2nd Rogue In Mac

iMunizator a rebranded version of MacSweeper.
It was first seen in Apple Discussions web site, where someone asked this question "What is iMunizator?"
Difference between the two:

iMunizatorSetup.dmg file size is 1.49Mb while MacSweeper 1.52Mb.

iMunizator company is iMunizator.com while MacSweeper is KiVVi Software.

iMunizator executable file size is 407,036 bytes while MacSweeper 407,468 bytes.

iMunizator resource folder does not contain TODO.txt.

If Last time, MacSweeper is sharing NS server with Cleanator (a known rogue program in windows) this time iMunizator.com neighbor is AntiSpywaredeluxe.com [67.205.72.9] which is also a rogue program in Windows. iMunizator.com network information below:

March 27 - Mac OS X Hacked in 2 Minutes Read [CNET News]

CanSecWest PWN2OWN 2008 contest targets Linux, Vista and OSX.

VAIO VGN-TZ37CN running Ubuntu 7.10

Fujitsu U810 running Vista Ultimate SP1

MacBook Air running OSX 10.5.2

March 26 (1st Day) when the contest started. However, nobody was able to hacked any of these three operating systems in a limited resources and confined local network connection.
March 27 (2nd Day) when the attackers were given internet connection.
March 28 (3rd Day) when the attackers were allowed to use popular software to exploit.
The results are as follows:

On the 2nd day, Mac OS X was successfully hacked in 2 minutes using a zero-day exploit in Safari.

On the 3rd day, Vista was successfully hacked after 7 hours using zero-day exploit in Adobe Flash.

Linux stays intact and won against hackers.

iAntivirus Protects Your Mac

2008-03-18T20:22:00.000-07:00

PC Tools will soon release iAntivirus security software for Mac users. The product displays a Mac-like simplicity and elegance, yet with powerful features that catches and removes known malwares in real-time.

Internet Downloads

A good example here is Trojan DNSChanger. This threat has been in the internet for more than four months now and it's continually eluding security analyst by changing its domain names, IP addresses and ways in delivering this trojan to mac users.

iAntivirus on-guard catches this threat in real time.

Files Through Messengers

Let say someone you know or close to you sent you a file through messenger. Without your knowledge, the file is a Backdoor server component which the sender wishes you to install so that the client component which is on the attacker side could perform unauthorized task to your machine. Here's the impressive real time catch of iAntivirus.

Files In Your USB Flash Drive

In our daily computing activities, USB flash or portable drives plays important role in storing, exchanging and transferring files. You often get out of control when too much files are stored and worst if one day you are dragging malicious files to your local hard drive.

Running Process

Perhaps, a keylogger running in background.

Are you excited to have a copy of this?

Then drop your email address and we will notify you once iAntivirus beta version is available.

Should Safari Join The Rat Race?

2008-03-10T16:29:00.000-07:00

Few weeks ago, PayPal published a frequently asked question guide about "Safer Web Browsers". The news maker part is this:

Which browser have anti-phishing features?
- Microsoft Internet Explorer 7 or later
- Mozilla Firefox 2 or later
- Opera 9.1 or later

Yes, this is true Safari 3.1 is not capable of detecting phishing site and this is where PayPal is most worried about - because they are always targeted by phishers.

Notice the two screenshots above, obviously Safari does not recognize anything while Firefox displays an alert message.

Base from last year report, Anti-Phishing Working Group receives an average of 25,000 new phishing sites per month and 91.7% of this attacks are related to Financial Services.

This is the reason why we will be seeing more security features integrating to web browsers just like Internet Explorer 8 Beta 1 - which was released last week. There are two significant security features in this version:

Safety Filter - It prevents known malicious sites from loading. However, this feature does not work in my testing. Perhaps, they are still working on it.

Domain Name Highlighting - As shown in the example below, the real domain name is not citibank.com instead it is 8martofftoday.org. Absolutely, a phishing site! This feature is also available in Mozilla plug-in "Locationbar&sup2".

Mozilla Firefox 3 Beta 1 was previously announced and this version provides more security features including "Malware Protection", "Anti-virus Integration" and "One-click site info". Check the full release notes here.

The continuous proliferation of threats in the internet has escalated user's security awareness. And this, factors into users' expectation that softwares and application should provide security features. Beating up threats is just like a rat race and whether this is users' problem or not, the trend is now pressuring Safari to blend in.

Cookies A Threat To Your Privacy

2008-03-05T20:10:00.001-08:00

Do you wonder what is cookie all about and how it threatens your privacy ? Let's take a deeper look.

A cookie is a text string of information that is sent by a website to your web browser and stores it to your hard disk so that the website will remember who you are.

Figure 1.0 shows how web browser request the web page to the server and how cookie is carried in the communication.

Cookie by itself is just a piece of information and not a program code. It is not capable of harming user's computer, and they cannot act as a virus or worms. Cookies are created and used to allow server to store and retrieve state information. However, this small text file is rich in information, which may include your IP address, user name, email address, password, preferred language, shopping cart items and any strings that can be linked to your identity.

==========
Privacy Issue
==========
There's a privacy issue if the cookie is stored in users' computer without his/her knowledge or consent and this also includes affiliates or third-party cookies.
Figure 2.0 shows how a third-party ad server tracks users' browsing habits and preferences to deliver a personalize advertisements.

This privacy issue has been addressed through legislation by different countries such as Europe and US. Their position is to allow cookies provided that there is a privacy policy informing users that the website is serving cookies, how it is being served, how it is being used and how people can refuse or accept it.

Here's a good example of privacy policy statement:

http://www.bbc.co.uk/privacy/
http://www.doleta.gov/privacy.cfm

Also, this privacy issue has been discussed in RFC2965 - HTTP State Management Mechanism.

6. PRIVACY

Informed consent should guide the design of systems that use cookies. A user should be able to find out how a web site plans to use information in a cookies and should be able to choose whether or not those policies are acceptable. Both the user agent and the origin server mus assist informed consent.

So, what does it mean ? This means, websites that serves cookies without informed consent violates users' privacy.

==============
Security & Privacy
==============

CLEAR TEXT

The cookie header and content are readable or in clear text format. Any sensitive or identifiable information is vulnerable and exposed to threats whether it is a malware, packet sniffers, cookie hijackers or another user of that pc.

Check your cookies and see how much personal information are stored.

Here's how to check it :

Safari Users
- Go to Preferences and click Show Cookies.

Mozilla Firefox Users
- Go to Tools, Option and Show Cookies.

IE Users
- Go to Tools, Internet Options, General tab
- In Browsing History click Settings, View Files.

PERSISTENT

Persistent cookies does not expire soon enough even after the user ended the session. Thus, the website can build information or profile your browsing activity and preferences over time.

COOKIE POISONING

Cookie poisoning simply means performing unauthorized modification of the values stored inside the cookie. This can be easily done using tools and information available from the internet. Most websites stores persistent, non-secure cookies while some are secured but still there are web site that employs poor encryption that could be easily decoded.

A good example is performing tampering attack to a shopping cart to change the total shopping value to a huge discount.

THREATS

Worms - Mass-mailing worms such as NetSky and Lohack is capable to search and harvest email address to all .TXT files and this includes users' cookies.

Trojan - Banking related trojans are usually capable of stealing users' cookies.

Backdoor - There are backdoor that steals cookies associated to ebay, paypal and banks.

Exploit - This is usually employed using cross site scripting exploit, where a malicious user injects a code to a legitimate vulnerable website. So, all visitors of that website will get redirected where a malicious cookie stealer script awaits.

A malicious user could use the stolen cookies to impersonate or steal user's identity online.

Phishers - URL links that are spammed through emails, blogs, messengers and forums may also link to a malicious cookie stealer sites.

=======
Summary
=======

Cookie is just a small piece of information but if it contains your identity, it is something that you should care about. Stealing information usually happens in background, it means without your knowledge. Cookies are harmless by itself, but the threats that surrounds it are out there in-the-wild. Malicious and exploited sites are everywhere and your cookies is always at risk.

For safety, everytime you input information online whether you are checking your email, doing net banking or shopping, you should always check your cookies and delete them together with your browsing history. There are available tools online that can help you perform this task as well.

Get informed and stay safe!

Your MSN Account Has Been 0WN3D

2008-02-25T14:54:00.000-08:00

"Social Engineering is a technique used to manipulate people into performing actions or divulging confidential information by gaining trust. It attempts to gain access to sensitive data such as password, login names and worst - credit card numbers. This method is very easy and high success rate - No wonder it is very popular and often used by hackers."

Do you want to know who's blocking you in MSN?

Whoblocksyou.com can figure out for you! Just visit the site, enter your MSN account and password, then you will get the list.

It certainly looks and sounds real, BUT IT'S NOT!

This site is a scam luring MSN users to provide their login credentials, then after that, it will take control over their account.

Once the user entered his/her login credentials, a message box will be displayed claiming that "..users' privacy is 100% guaranteed". However, users' email address and password are sent over the network in clear text form. So, where's the privacy here?

The disclaimer also mentioned that "we do not save your password..." but once you logged in to your MSN messenger account, you'll find some changes to your display name and personal messages.

Even if you tried to fix this changes, it will keep on returning everytime you sign-in. This is absolutely annoying! Not only that, your friends will see this embarrassing changes as shown in the screenshot below.

If this can happen to your messenger, what more to your email account? Obviously, your MSN account has been 0WN3D. Beware of this trick!

MySpace Spammers Are Back

2008-02-20T15:03:00.000-08:00

What is Crowdguard.com ? This is the question asked by MySpace user after getting a message from a friend telling her to visit this site.

You need to login your MySpace email address and password to view your pictures. For some people this site seems harmless, but behind this page the objective is to lure people in giving out their Myspace credentials.

Once you give your login credentials, a cgi script will take these informations to a remote server.

And, this message box will pop-up.

To make the story short, the user will not be able to see any pictures - because there's none. This site is phising for your login details so a remote attacker could use it and send spam bulletins or messages to your MySpace friends. It also generates web traffics for all visited sites.

Similar to Crowdguard is Stalkertrack.com. This site promises for free tracking tool that will let you track or "stalk" all profiles that visits your Myspace page.

Once you entered your MySpace login details, this spammer will start using it to spam your friends.

Not only that, your email address and password are sent to multiple IP addresses in clear text form.

**Note: IP address may change.

Do you wonder how many spams were already created in Myspace?

There are 4 million generated post relating to StalkerTrack and this number will keep increasing if more and more vulnerable MySpace users will get deceived by this trick.

Stay away from these sites!

Malware Retailer Update: Dear Partner

2008-02-19T14:37:00.000-08:00

The news ...

Dear Partner,

We have three great new for you - first we updated our loader, it now not visible for AV and from now we'll update exe few times per week - so it always stay invisible so keep updated!

Another one - now we have referral module ready - you can refer webmasters and earn 10% from their revenue! You can find links in your account area.

And main news - we've rewrite installs counting module - now we have much better conversation - much more money for you - just try and see.

Here is updated loader link for you: http://69.64.51.47/files/loaders2/adx.exe

Sure you always can use not crypted exe and crypt by yourself, here is your link for NON encrypted exe: http://69.64.51.47/files/loaders-nc/adx.exe

Thank you for your trust!

Let's keep up good work!

AV scanners result ...

This business is a "one stop shop" of malwares, where victims will definitely get a bunch of different threats including Trojan DNSChanger for Mac users.

The $$ business continuous!

Cross Platform Joke

2008-02-17T19:48:00.000-08:00

Do you know what is a Joke Programs ?

Joke programs is designed to frighten or embarrass a user -- creating a virus like symptoms and causes interruption to people's work. This is the reason why most security software detects it.

This programs are not malwares and definitely poses no threat to computers. They could be in different file format such as executable binaries like .EXE, office documents like .PPT and web-base. Most known joke programs are limited to Windows OS, but with the spurring popularity of Mac, cross-platform is now a consideration.

~~o~~

Last week in yahoo group somebody asked this question, "Can you access this site http://www.internetisseriousbusiness.com ?" Few minutes later, people started to send their replies and one member said "This is the worst thing I've done".

So, what happened?

Once you visited the site, it will resize your browser window to 640x480 and it will start moving to every corner of your computer screen while playing a music video "Never Gonna Give You Up" by Rick Astley.

The annoying thing about this website is that it does not allow user to change the url link or close the window and everytime the user attempt to do so, it will display a message box with the song lyrics on it. So, the only way out is to manually terminate the process of your browser. How does that sound to you?

Inspecting the source code of the page, you will see that it does not contain any malicious code that poses threat to its users. Instead, it is just an annoying web-base cross platform joke!

Here is the source code of the page.

Furthermore, searching in Google using the keyword "We're no strangers to love by Rick" you will find the first result links to another page http://smouch.net/lol that does exactly the same.

Stay away from these sites!

Happy Valentine's Day From Storm Worm

2008-02-13T15:52:00.000-08:00

Storm Worm has been waiting for this day. It's been spamming about Valentine's Day since early January with email subjects "Falling In Love with You", "Heavenly Love", "Sent with Love", "You're the One", "Our Love Will Last", "A Toast My Love", "Our Love is Strong" and "Your Love Has Opened" .

The email content will always have a url link that points to a malicious website that displays a red heart.

However this week, Storm Worm delivers eight different images for this awaited occasion.

A vulnerable user clicking an IP-based website from the spammed email will certainly experience Storm Valentine's Day greetings with a downloading executable "valentine.exe". This executable is a high risk mass-mailing worm currently affecting Windows platform.

This threat does not affect Mac OS X users but definitely a piece of junk that will stay in the download folder.

Stay safe online!