Brewing up a Storm - the next wave

Looks like everyones favourite group "The Russian Business Network" have changed their mail tactic again in the last hour. Yesterday the NUWAR worm (Peacomm, Storm etc) was attempting to convince users to install a file called setup.exe, which was apparently a Beta version of an application (see yesterdays post).

Today they are back to video.exe, this time associating it with Celebrities such as Beyonce, Fergie, and others I've never heard of like Heuy, Lil Mama, Chris Brown

Subject: this video is not out yet
Body:
Heuy just filmed their new video.

Be the first to see it. Paste this address in your browser for the video: http://XX.XX.XX.XX/

The giveaways this time are the words "just filmed their new video", which appear to be pretty constant. Note that the file video.exe is exactly the same as the version from yesterday, so it should be caught by AV

So remember folks Beyonce has not actually decided to show you a video of herself before the rest of the world sees it. In fact she's most likely never heard of you. Oh well, we can always live in hope :)

Apple Bite of More than they can chew?

Apple may have won the first battle, but Nokia is set to win the war. It was only a matter of time before Nokia went head to head with Apples killer product. Looking forward to this already.

http://noknok.tv/news/nokias-iphone-killer-worlds-first-pics/

Latest Version of NUWAR undergoes "BETA Testing"

Also posted to Trend Micro Trendlabs

There is a new wave of the now infamous NUWAR (Storm) Worm doing the rounds. This time the mail attempts to convince users to download a program that is currently undergoing Beta Testing. In return the helpful victim receives their own Free Edition (lucky them) and from 5 years to a lifetime of free updates.

Oh … and their computer joins a massive P2P Botnet, and starts generating massive amounts of SPAM to help spread the worm...still no BETA software comes without the odd bug.

Here are 2 Samples of the mail (filter for safety):

From:
[REMOVED]
To:
[REMOVED]
Subject:
We need you
Please give us a hand with our new software development Investment
Developer

This beta testing will help prepare us for market release. For helping
out, you will receive a free edition and 5 years of updates.

Simply download the software. Try it out for one week. Email us what you
think of it. If you want to participate, just follow the link to our
download site: http://71.233.XXX.XXX/setup.exe

and

From:
[REMOVED]
To:
[REMOVED]
Subject:
Can you help us out?
Would you consider helping us with your opinion of our new program
Investment Developer

This beta testing will enable us to fine tune the software for public
release. All beta testers will receive a free copy of the final version
and free updates for life.

Just download the program, Check it out, and let us know your opinion.
Ready to be a beta tester? Just follow the link to our easy download
center: hxxp://61.73.XXX.XXX/setup.exe

The keywords to look out for to avoid this threat are "Beta Testing" and "setup.exe". Interestingly if you visit the actual URL that setup.exe is being hosted on, it still displays the last generation of YouTube related attacks. Looks like the Storm crew are getting sloppy.