As some readers ask for it, here is the English version of our previous post about the Storm worm.

Since July, we have been seeing several mutations of the Zhelatin/Storm Worm/Gang (as F-secure named them). The last one appeared as an email announcing your inscription to a Web site (chats, MP3, Job Search, etc.):

If you follow the link, you will find a malicious Web page and will be asked to download, this time, your "Secure Login Applet":

Of course it is a malware, and at the time of the writing of this post, the binary is only detected by 6 antiviral solutions out of 15 tested (Note: this is now better). But have a look at the Web page source:

So when decoding / running it quickly (thanks to caffeine-monkey) you obtain this:

Which seems to be the exploit code for an old Microsoft Windows Media Player vulnerability:
(Ref. Lexsi 6652) : "Microsoft Media Player Plug-in with Non-Microsoft Internet Browsers Code Execution Vulnerability" (CAN-2006-0005).

The first part following the second unescape function is the payload. A quick analysis:

The malware load the "urlmon.dll" library.

Then, the malware download a new file ("file.exe") from the infected Web site using a "urlmon.dll" function, and write it to disk at "C:\U.exe".

Finally, it executes the downloaded file.

The dropper is detected by 2 antiviral solutions out of 15 (Note: this is now better). (Note: IP addresses and long strings have been removed or cut)