It’s déjà vu all over again with the latest Nuwar campaign over the weekend offering belated Valentine e-cards. The malicious e-cards contain a URL to random blogspot.com pages sporting a love theme linking to the Storm executable. The bait pages by themselves do not contain any exploits and rely solely on end-user interaction to click and install the malware. The executables being offered are “love.exe” and “withlove.exe” - both being hosted on a fast-flux domain. A copy of the BlogSpot pages hosting storm is shown below.

Love-Themed Nuwar Page

This is not the first time BlogSpot.com has been abused to host malware laced pages. Zlob a.k.a Puper Trojan did that last year and also spam messages these days contain Google’s Blogger links to blogspot.com that do simple forwards to the spammer’s domain.

But why would the Nuwar gang launch a Valentine-themed campaign in April? Either the Storm authors are suffering from acute Valentine hangover or have their holiday calendar messed up! Especially since Easter passed off surprisingly quietly without a Storm :-)