In keeping with form the gang responsible for the Storm Worm (and its many variants) has been releasing updates to correspond with the New Year holiday coming up next Tuesday (they also released some Christmas joy as well on Christmas eve for those who wanted early “presents”).
They’ve been changing domains linked to in the email that is directing you to the malware download. So far we have seen:
happycards2008.com
newyearcards2008.com
happynewyearcards2008.com
uhavepostcard.com
All of the above sites are currently active except for happynewyearcards2008.com which appears to be offline.
If the link in the email is clicked it takes you to a site where it tells you that your download will begin shortly (actually it is scanning for vulnerabilities for it to exploit on your PC) and that if your download doesn’t start to click to download the file manually. When the link is clicked the malware is downloaded so that people can infect themselves. This is akin to other Storm Worm variants which operated in a similar fashion.
The downloaded file is changing names also. Currently the file is happynewyear2008.exe, but previous variants have downloaded happy2008.exe, happy-2008.exe, and happynewyear.exe.