Regardless of the laws in Russia, they can create their own acceptable use policies and anyone who registers a domain with them must agree to them. If distributing malware doesn't violate their corporate AUP, they are purposefully siding with the criminals. They've got enough pages of documents specifying how they are going to get paid, and it seems the only penalty even for false whois information is that they won't let you renew or transfer the domain.

And while we are fighting yesterday's domain name, "they" are already a step ahead: 'newyearcards2008.com' offering download file 'happynewyear2008.exe'.

Registrar: ANO REGIONAL NETWORK INFORMATION CENTER DBA RU-CENTER
Registered: 2007-12-26
Hosted again on countless hijacked machines all over the world.
Reported to MIRT.
Complaint sent to nic.ru by email & fax.

Botnet Scanner report

Scanned the fast-flux network of infected IPs used for the Storm New Years cards infection for 2 days.

IPs detected: 3715
IPs reported: 3715
Reports sent to ISPs: 600

ISPs with largest number of infections:

1. SBC Global (US) (Pacbell, Ameritech, SWBell etc)
2. Comcast (US)
3. RoadRunner (US)

New domain: newyearwithlove.com

Open letter to RU-CENTER [tld-ncc /@/ nic.ru]
( /postx211215-0-30.html)

According to your policy described at:
http://www.nic.ru/about/en/servpol.html#2.2

In reference to:
"2.1.1. User shall not perform any actions that may result in:
d) damage or the possibility of damage to any other User or any third party;"

I would like to ask you, in the name of the Internet Community to apply the following:
"2.3.1. RU-CENTER may apply the following sanctions to Users that violate the provisions of Subsection 2.1:
a) suspend or refuse the provision of any or all Services;
b) take steps to stop User from violating the Terms of Use."

to the following domains:

uhavepostcard.com
merrychristmasdude.com
happycards2008.com
newyearcards2008.com
newyearwithlove.com

and any other that you might be aware of, registered in the last days with the same method, characteristics [name/relation to new year] and/or data like the above ones.

Thank you for your cooperation.

The Russian CERT Center is also notified of the requirement to remove those domain names.

Whack a few more moles

To the tune of celebration. A very happy New Year
hxxp://familypostcards2008.com/


If it's of any use, here's the SpamCop.net URL for the spam.

h$$p://www.spamcop.net/sc?id=z1590044173z1933822cb8dbec0d9901468b4e3972aez

New one: freshcards2008[.com]

(oops -- duplicate)

I had been checking these daily variants with Virustotal and Jotti and posting the poorly detected one (all of them) on the unknown files forum, but their new sites won't let you do it without turning off noscripts. Since I know zilch about java, I haven't wanted to try that.

12 new domain names registered Dec 29 for Storm distribution are listed in the EU Spam Wiki
http://www.spamtrackers.eu/wiki/index.php?title=Storm#December_29

From spamhaus.org:

From Spamhaus.org:-> http://www.spamhaus.org/news.lasso?article=624

News from spamhaus.org on the Storm Worm Botnet:
http://www.spamhaus.org/news.lasso?article=624

See there: /f287-Complainterator.html

and more on Complainterator here http://weblog.complainterator.com/ and http://spamtrackers.eu/wiki/index.php?title=Complainterator
and http://www.complainterator.com/

For more informations on complainterator.com, see there:
http://www.aboutus.org/ComplaintErator.com
http://www.google.com/search?q=complainterator
http://www.siteadvisor.com/sites/complainterator.com

roberto78

One problem, as since last night I have been unable to connect to spamhaus, it keeps timing out and my tracert says the domain is still active, could this mean my ISP might harboring a DDoS bot the Storm Worm is using that is causing spamhaus to timeout my connection?

I can get Spamhaus fine right now, and it was okay last night for me, too. Comcast certainly has plenty of storm-infested computers on their network, and spamhaus is under pretty much perpetual DDoS from what I understand. But because Comcast has so many users on dynamic IP addresses, it's harder for DDoS targets to just block entire IP ranges as they are also blocking a lot of legitimate users. It's possible that the last time you logged on, you were assigned an IP address recently used by a bot. You could find out by trying a proxy, or disconnecting from the internet long enough to get a new IP address assigned. Also, I don't know the details of cable internet -- do other people in your neighborhood share the same IP address?

Or, you could be infected yourself.