• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Merry Christmas Dude trojan still doing the rounds

Joined
Aug 10, 2006
Messages
4,413 (0.69/day)
Processor Intel Core i7-7700K
Motherboard ASUS ROG Strix Z270E Gaming
Cooling Arctic Cooling Freezer i11
Memory 4x 8GB DDR4 Corsair Vengeance LPX @ 2133MHz
Video Card(s) 2x NVIDIA GTX 1080 Ti FEs
Storage 512GB SSD, 2x2TB HDD
Display(s) AOC U2879VF, AOC G2260VWQ6
Case Corsair 750D Airflow Edition
Power Supply EVGA Supernova 850G
Software Windows 10 x64 Pro
JUST LIKE last year, some people are using the Christmas theme to try to break havoc on your machine. Chances are that you might have received -or will receive- a nasty surprise into your mailbox designed to tricking you into installing a trojan.

Since the 24th and at the time of this writing we have received about a dozen messages containing what many people are referring to as the "Merry Christmas Dude" spam message - half a dozen of those, this morning. The senders and subject lines vary, but might include "Mrs. Clause is out tonight!", "Seasons Greetings", "Christmas Email", and "Ho Ho Hos".

The message doesn't contain any payload, but rather an invitation to click on a link which leads to www.merrychristmasdude.com web page, showing pics of scantly clad women with a Christmas theme.


The folks at the ARBOR networks security response team have a detailed report on the payload delivered from the rogue site, and identified it as a variation of the "Storm worm". According to the firm, "An infected host will drop the file C:\WINDOWS\disnisa.exe and stores the peerlist in C:\WINDOWS\disnisa.config" then it opens a random pair of TCP/IP ports, lower the windows firewall settings and "After that, the usual Storm worm mayhem begins."


The domain name leads to a long list of DNS IP addresses, but since last night, the web site appears intermitently unresponsive. That did not prevent the "merry Christmas, dude" e-mail from arriving at people's mail boxes during the 25th. A quick research showed us that while the domain name's contact and administrative information points towards Toronto, Canada the Whois information is served by whois.nic.ru in Russia, indicating the Russian domain registrar was apparently used.

Source: The Enquirer
 
Top