As was recently disclosed, the Warezov operation is largely to blame for the massive increase in spam amounts. Warezov-infected machines download additional components which, after a variable delay, start sending out spam messages. All of these spams (as far as we've seen) are pharmaceuticals spams, advertising Viagra, Vialis, Valium, and Xanax clones.
You can make the connection between the virus and the spam just by looking at the domain names used by the Warezov gang for both the virus component download and for the hosting of the fake Viagra sites.
Warezov is spread by spamming slightly modified versions of the downloader component. This is modified by the spammers as soon as major antiviruses add detection for that particular component. We believe the Warezov gang is using services such as Virustotal or Jotti to monitor the reactions of the antivirus industry.
Once the downloader is executed on a computer, it connects to a download URL. A typical URL would be, for example:
www6.vedasetionkderun.com/819/nt.exe
or
yuhadefunjinsa.com/chr/grw/lt.exe
Over the last months, we've seen a major increase in spams like the one below:
They link to fake Viagra sites like these:
When we look at the whois information of these domains, we see that not only do these domains have similar sounding names but we can also categorize them to just three different groups: domains registered to "Wang Pang", "Dima Li" or "Bai Ming".
And when comparing the domain names used in the virus to domains shown in the spam messages, we can see that they overlap, proving that these are all part of single operation:
The Warezov operation started in the middle of August 2006 and continues to this day.
Two more things:
1) No, we don't know if these domain names mean something in some language.
