What it is

You may have noticed greeting card invites in your inbox this last week, purported to be July 4^th greetings form people you don’t know, or other greeting cards with a variety of headings and formats.  The thing they all have in common is that the web address you go to on the greeting card is usually just an ip address looking something like:

http:///###.##.##.##/?[a long string of characters]

These greeting card invites are enticing you to go to a site which will take advantage of a windows/internet explorer vulnerability to install a Trojan program on your machine.  If you have up to date security patches for Windows XP and Internet Explorer, and you have an active up to date virus and spyware blocker you should not need to worry if you accidentally clicked on one of these. It is a good idea to scan your machine manually for threats however.

The Storm Trojan is also called Trojan.Peacomm – and has been around since January as an attachment email (an executable program attached to an email).  The program itself is not new, recently however there’s been a drastic uptick in the number of attempts to broadcast the software, and the method of installing it by the user visiting an infected website increases the danger of this particular application.

What to do

To avoid the problem never click on a greeting card link that doesn’t specifically list:

• The person sending the card – this should be someone you recognize
• The site the card is sending you to – this should not be an ip address (remember to hover over the name to see where it’s REALLY sending you vs. what it shows in the message), it should be the name of a legitimate card company (hallmark, blue mountain, etc.).
• Does not have any attachments – greeting cards are never sent as attachments by these companies – they’re always links to sites.

You should also of course have up to date antivirus/antispyware software on your machine and you should keep your patches up to date by visiting http://update.microsoft.com/ and be sure to load the new windows update if you have a “green button” inviting you to do so on this page.

If you did click on it you should update your security software and scan your machine for viruses, just in case.  The Storm Trojan allows a remote person to take over your machine and use it either directly or as part of a botnet to attack other machines.

Further references

Storm Trojan uses July 4^th greeting message: http://www.theregister.co.uk/2007/07/04/july_4_storm_trojan/

Symantec threat warning: http://www.symantec.com/outbreak/storm_trojan.html

Trojan Peacomm: building a peer to peer botnet: http://www.symantec.com/enterprise/security_response/weblog/2007/01/trojanpeacomm_building_a_peert.html

Cheers,