As mentioned yesterday, the Storm worm has been sending 4th of July-themed spam. I commented then that the worm gives itself away by using dotted-IP notation in the URLs it sends. It seems that the developers are aware of this weakness: the latest run of Storm worm spam uses actual domain names.

Some sample names include:

• thefireworksjuly.com
• yourfireworks.com
• yourfireworksstore.com
• worldbestfireworks.com
• wholefireworksonline.com
• dayfireworkssite.com
• greatfireworkslaws.com
• bellestarfireworks.com

The domains are apparently hosted on compromised PCs, although interestingly each is hosted only at a single IP, rather than being distributed across a botnet. Nameservice for the domains is through servers in the domain 'likethisone1.com', with up to six nameservers listed for each domain. Each nameserver is, once again, a compromised PC, typically a broadband PC in netspace owned by an American provider such as AT&T or Comcast.

The nameserver domain and the individual domains are registered through bizcn.com. Interestingly, WHOIS lookups for some of the domains return "No match for ...", rather than actual WHOIS information. Others show the registrant as one 'Lee Chung' of 'Nikei corp', with incomplete address information.

bizcn.com (Xiamen BizCn Computer & Network Co. Ltd) didn't make Knujon's list of the 10 worst registrars, and the useful spamtrackers.eu wiki reports that they act quickly to close down spam-advertised domains. However, it's unlikely that the Storm operators plan to keep these domains very long, so shutting them down will not cause them any great inconvenience.

Meanwhile, a second malware operation is using a less specific strategy, sending out messages offering 'Free antivirus'. Downloading and running the offered software will, of course, infect your machine. The distribution host, fineeyes.com, may be a legitimate host that has been compromised by the malware developers.