Merry Christmas Dude trojan still making the rounds

JUST LIKE last year, some people are using the Christmas theme to try to break havoc on your machine. Chances are that you might have received -or will receive- a nasty surprise into your mailbox designed to tricking you into installing a trojan.

Since the 24th and at the time of this writing we have received about a dozen messages containing what many people are referring to as the "Merry Christmas Dude" spam message - half a dozen of those, this morning. The senders and subject lines vary, but might include "Mrs. Clause is out tonight!", "Seasons Greetings", "Christmas Email", and "Ho Ho Hos".

The message doesn't contain any payload, but rather an invitation to click on a link which leads to www.merrychristmasdude.com web page, showing pics of scantly clad women with a Christmas theme.

The folks at the ARBOR networks security response team have a detailed report on the payload delivered from the rogue site, and identified it as a variation of the "Storm worm". According to the firm, "An infected host will drop the file C:\WINDOWS\disnisa.exe and stores the peerlist in C:\WINDOWS\disnisa.config" then it opens a random pair of TCP/IP ports, lower the windows firewall settings and "After that, the usual Storm worm mayhem begins."

The domain name leads to a long list of DNS IP addresses, but since last night, the web site appears intermitently unresponsive. That did not prevent the "merry Christmas, dude" e-mail from arriving at people's mail boxes during the 25th. A quick research showed us that while the domain name's contact and administrative information points towards Toronto, Canada the Whois information is served by whois.nic.ru in Russia, indicating the Russian domain registrar was apparently used. µ