Beware April Fool’s Day mail, banking trojans, says F-Secure

A number of fake Storm emails have been blasted out enticing recipientswith phony April Fool's Day messages, according to a blog post onF-Secure's site.

At press time, the site was saying that no exploit code had yet been detected, but was urging users to be wary of clicking through on unsolicited email.

"Well, this was to be expected," Mikko H. Hyppönen, chief research officer, F-Secure Corporation, told on Monday night. "The Storm gang has been operating for a year and they frequently use holidays and celebrations as a theme for their drive-by-download sites."

Johannes Ullrich, chief research officer for the SANS Institute, in an email to, points out that there isn't much new about this version of the Storm worm.

"Like other Storm worm versions, it doesn't actually exploit any technical vulnerability. Users have to click on it and install the attachment. The sad thing is that it again shows how anti-virus fails its users," he says.

[UPDATE] Patrik Runald, security response manager at F-Secure, in an email to, updated us on today's Storm activity.

"The mails are still coming in at a steady rate and the file on the Storm sites keep on changing about every 45 minutes or so, this to avoid signature-based detection. I expect this to go on for a few more days and then slowly stop. Advice to users would be to not visit those sites. Better yet, don't visit any sites where the link points to an IP address is a good idea as that often is a sign of bad things."

Additionally and perhaps more important, F-Secure is reporting today on its blog that it has detected a form of banking trojan that it refers to as "something quite unique."

Detected from a drive-by-download site, the company has added detection for it as Win32.Pril.A.

The trojan infects the master boot record (MBR) of users' machines, but, more insidious, reflashes the boot code in the Flash BIOS, which causes problems in disinfecting the hard drive.

"Once an infected machine is online, the trojan monitors the users actions, waiting for him to go to one of several hundred online banks, located all over the world," the blog post states. "Once the user has logged on, the banking trojan uses PCMCIA to inject code into the VGA! As an end result, the trojan creates a man-in-the-browser attack against the victim."

However, F-Secure expresses surprise at what the malware then proceeds to do. Instead of attempting to withdraw money from a user account, it deposits money into the account.
Still, web users should remain wary, despite the fact that the company takes the exceptional step of listing the URL of the drive-by-download site.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.