Not content to settle for all the new bot's they got for Christmas, the RBN would like to wish you a Happy New Year as well with hxxp://uhavepostcard.com/happy2008.exe.
New hash, 5bb3606d36019142507043f30401c5d2, same malware as that we received when we fell for the Christmas strip show they offered us ;-).
Again, it copies itself to C:\WINDOWS as disnisa.exe, writes the same registry keys and config file, and follows the same network attributes as mentioned in previous post, but better AV coverage now that this variant's been around for a few days:
AntiVir - Worm/Zhelatin.ob
Authentium - W32/StormWorm.P
BitDefender - Trojan.Peed.IRE
CAT-QuickHeal - (Suspicious) - DNAScan
DrWeb - Trojan.Packed.263
eSafe - Suspicious File
eTrust-Vet - Win32/Sintun.AT
F-Prot - W32/StormWorm.P
F-Secure - Packed.Win32.Tibs.gu
Kaspersky - Packed.Win32.Tibs.gu
Microsoft - Trojan:Win32/Tibs.gen!ldr
Prevx1 - Stormy:Worm-All Variants
Symantec - Trojan.Peacomm.D
Webwasher-Gateway - Worm.Zhelatin.ob
I was further intrigued by the name they chose for the .exe, in particular, disnisa. Appears it was or is the name of a wine and spirits import company in Nicaragua, importers of Heineken, Chivas Reagal, Cuervo, Concha y Toro, and Moet & Chandon. Is there correlation given the time of year? Who knows.
Happy New Years from disnisa. Drink the product (responsibly), but don't open the ecard. ;-)