Lately, a malware newcomer has been getting all the attention, with claims that Srizbi may have assembled the world's largest botnet. However, the Storm worm is still out there, and predictions of Independence Day spam sent by the Storm worm have proven correct.
The Storm worm spams use a variety of key phrases:
- Stars and Strips[sic] forever
- Light up the sky
- Happy Independence Day
- Celebrating the Glory of our Nation
- Celebrate Independence
- Amazing firework 2008
- American Independence Day
- Home of the Brave
- Fabulous Independence Day firework
and so on. These key phrases are used to provide a random subject line and message body. The payload is a URL (in dotted-IP notation) to a compromised host. Visiting the URL displays a picture of a movie player with an exploding firework, and a message telling you to 'click on the video and run it'. Clicking the image causes an executable containing the Storm worm malware to be downloaded.
In short, it's the usual Storm pattern. Many modern mail programs will actually warn users against visiting sites given in dotted-IP notation, but it seems that the Storm worm operators consider it worth giving a try anyway. Storm worm has always capitalized on interest surrounding current events, so it's not surprising that they'd take the opportunity offered by the 4th of July to gather a few more recruits.