The storm botnet has been quiet since its last spam run during Halloween. But on Christmas eve the storm botnet started spreading Christmas themed email. The emails have similar content to previous storm emails, with a short message and a link.
The link points the the following website that advertises a strip show program. Clicking on the page will prompt the user to download stripshow.exe, which is the storm bot.
At the time that these emails were first being sent stripshow.exe was only detected by six of the 32 antivirus engines on viustotal.
The day after Christmas the theme of the emails changed to New Year. The emails have subjects such as:
New year wishes for you
New year ecard
A fresh new year
Opportunities for the new year
Message for new year
We are currently still seeing these emails coming in.
Clicking the link will take you to the following page. The download does not start automatically but clicking on the 'click here' link will prompt you to download happynewyear2008.exe, also the storm bot.
These web sites are hosted on a fast flux network of computers that have already been compromised by the storm bot, making it very hard for anyone to take down the domains.