New Amero Storm Wave (July 22, 2008)


July 22, 2008

New spammed wave of Storm emails was discovered on July 21, 2008. Storm worm authors have changed their social engineering theme in this new wave and the e-mail arrives with following subjects:

  • Amero – the secret currency
  • Amero arrives
  • Amero currency Union is now the reality
  • Amero is not a myth
  • AMERO to replace Dollar
  • Bye bye dollar, hello amero
  • Collapse of the Dollar
  • Death of the U.S. Dollar
  • Dollar is replacing by Amero
  • Dollar is replacing by new currency
  • Fall of the Dollar, beginning of AMERO
  • No dollars anymore
  • North American Union is the reality now
  • One Currency for Canada, U.S and Mexico – The Amero
  • Say Goodbye to the Dollar
  • The Amero is here
  • The Dollar disappeared
  • The new currency is coming
  • Welcome the Amero
  • You can forget about Dollars

They have also reverted back to their old format of using IP addresses instead of fast-flux domains in the URL spammed via e-mail. The spammed e-mail looks like below:


The user will see the following page when he or she clicks on the link in the e-mail:


North American Currency Union does not exist and the new Storm social engineering campaign may be using it because of the recent economic slowdown. The webpage also contains a hidden iframe to a script named ind.php which contains drive-by exploits. SonicWALL blocks this script file with GAV: PackTibs.O (Trojan) signature. This signature has triggered 2,794 times since it was created on June 22, 2008.

If the user clicks on the icon on the page, it will prompt to download amero.exe file which is the new variant of Storm worm.


It also drops the following files on the system:

 C:WINDOWSglok+serv.config C:WINDOWSglok+40bc-761f.sys 

It also creates a new service for the glok+40bc-761f.sys and starts it.

SonicWALL detects this new variant with GAV: Zhelatin.ZI (Worm) signature.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.