On TechRepublic: FREE download: Social networking policy
BNET Business Network:
BNET
TechRepublic
ZDNet
40 TalkBacks

By Robert Vamosi
Posted on ZDNet News: Apr 13, 2007 12:18:00 PM

A new variant of the Storm Worm (aka Snow Worm) is slamming into e-mail inboxes worldwide as an apparent patch or fix for a recent worm attack.

The latest variant appears to ride on the coattails of worm that Trend Micro calls Nuwar.AOP.The Trojan part of this worm is known as Small (Kaspersky and Trend Micro), Downloader (McAfee), Peacomm (Symantec), and officially by the designation CME (Common Malware Enumeration) 711.

According to Ken Dunham of iDefense, this new variant worm includes anti-security measures to hinder analysis, and sends out copies of itself inside of a password protected ZIP file to evade anti-virus detection. Unfortunately, to further evade detection the e-mails sent are randomized with different filenames, different passwords, and different binaries within the ZIP file.

According to one source, the subject lines include:

"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Virus Activity Detected!"

According to SANS Internet Storm Center, the zip files appear to be named:

"patch-(random 4 or 5 digit number).zip"
"bugfix-(random 4 or 5 digit number).zip"
"hotfix-(random 4 or 5 digit number).zip"
"removal-(random 4 or 5 digit number).zip"

Once executed the new variant worm installs a rootkit on the infected system and communicates over a private peer-to-peer (P2P) network to update itself. This latest variation may be laying the groundwork for even more attacks in the near future, launching future releases from those machines already infected.

Additional Resources

Trend Micro: Nuwar.AOP

Mitre.org Common Malware Enumeration: CME-711

Quick facts

Name: Storm worm (also known as Small (Kaspersky and Trend Micro), Downloader (McAfee), Peacomm (Symantec))

Date first reported: 04/12/07

CME Number: CME-711

Software vulnerable: Microsoft Windows

What it does: Installs a rootkit and communicates updates via peer-to-peer connections

Recommendations: Avoid opening e-mail attachments without first scanning them for viruses.

Exploit code available: NA

Vendor patch available:: NA

Virus rating 6: How we rate.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 40 Talkback(s)
Password???
You need a password to activate this worm? Anyone know the password? Did the cracker supply it in the e-mail message? Is that how it works?

Interested Amateur... (Read the rest)
Posted by: interested_amateur@... Posted on: 04/16/07 You are currently: a Guest | | Terms of Use
Storm Worm strikes again  Loverock Davidson | 04/13/07
This keeps up l.D. and you won't be able to open up any e-mails right .  Intellihence | 04/13/07
Wrong  Loverock Davidson | 04/13/07
Sorry but tis you that is wrong...  Linux User 147560 | 04/13/07
Sorry I'm not  Loverock Davidson | 04/13/07
You're so entertaining, Loverock!  Zeppo9191 | 04/13/07
No Loverock...  Linux User 147560 | 04/13/07
Yes  Loverock Davidson | 04/13/07
You refuse to acknowladge my example  Linux User 147560 | 04/14/07
And yet...  zkiwi | 04/13/07
I read it  Loverock Davidson | 04/13/07
Judging by this post alone...  Zeppo9191 | 04/13/07
Loserock strikes again with misinformation...  jasonp@... | 04/13/07
Once again...  ehwood | 04/14/07
In case you hadn't noticed...  zkiwi | 04/14/07
Because they dont' know how to do anything else  Loverock Davidson | 04/15/07
Loverock confirms that Windows is incapable of safely sending email  whisperycat | 04/13/07
Whisperycat confirms he doesn't know how email works  Loverock Davidson | 04/13/07
Norton Didn't catch it!!!  lwp1946 | 04/13/07
Are you sure?  Loverock Davidson | 04/13/07
Hey, I thought it wa automatic...  Linux User 147560 | 04/13/07
It is  Loverock Davidson | 04/13/07
So how are the benefits?  Linux User 147560 | 04/13/07
What benefits?  Loverock Davidson | 04/13/07
Wow...  jasonp@... | 04/13/07
Agreed  Loverock Davidson | 04/13/07
Once again Loverock confirms Windows can't be used for email  whisperycat | 04/16/07
WRONG_AGAIN  Suicida| | 04/15/07
AVG immediately  bjbrock | 04/13/07
This proves that Windows is secure  NonZealot | 04/13/07
And that...  RocketEater | 04/13/07
Actually, anyone who buys Windows has a  1stcyberian | 04/13/07
Why?  justanitguy | 04/13/07
Always so childish  ehwood | 04/14/07
These posts are funny  fredfarkwater@... | 04/13/07
Proves it's secure?  zkiwi | 04/13/07
Secure?  30bob1 | 04/13/07
Windows Software is not designed with parnoia in mind  sydpdx | 04/13/07
Trust  ehwood | 04/14/07
Password???  interested_amateur@... | 04/16/07

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here