Just when you were wondering what the Storm worm authors could come up with next after using 4th of July theme as bait for their last spam run, Nuwar has now resorted to a war theme. The authors have cleverly chosen to exploit the escalating political tensions in the Middle East between Iran and the United States over Iran’s threat to attack Israel in response to any military action on its nuclear facilities. Some of the subjects observed in today’s spam are:

The beginning of The World War III
US Army crossed Iran’s borders
US Army invaded Iran
US soldiers occupied Iran
USA attacked Iran
USA declares war on Iran
USA unleashed war on Iran
War between USA & Iran

This is not the first time Nuwar has used a war theme. Incidentally, McAfee christened the Storm worm as “Nuwar” because it used the sensational war theme “Nuclear WAR in USA!” when it first appeared. Since then the authors of Nuwar have used and re-used morbid and shocking themes religiously with every new spam run. These themes sometimes get repeated when that time of the year approaches and this one is no different. War themes have been seen in previous Storm worm campaigns dating back to Nov 2006 & Apr 2007.

Storm Worm Bait Page

Unsuspecting users who follow the link in the spammed email are directed to a Storm bait page hosting a video that purportedly shows the first minutes of the beginning of World War III. Except that clicking the video would download “iran_occupation.exe”. And in case a user wanted to know about the advertised Patriots and Veterans Programs they would end up downloading “Form.exe”.  Both files are detected as W32/Nuwar@MM with McAfee’s latest beta dats.

The Storm bait pages are currently being hosted on the following fast-flux domains.

dailydotnews[.]com
dotdailynews[.]com
morenewsonline[.]com
newsworldnow[.]com
statenewsworld[.]com

The above mentioned domain names have be sanitized in the blog and readers are strongly advised not to attempt to visit them as they host a cocktail of exploits that attempt to infect a visiting machine. This information is being provided for administrators to take pro-active measures and block access to the rouge domains.