10th Dangerous Computer Virus- STORM WORM

The Storm Worm (dubbed so by the Finnish company F-Secure) is a backdoor[1][2] Trojan horse that affects computers using Microsoft operating systems,[3][4][5] discovered on January 17, 2007.[3] The worm is also known as: Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure) CME-711 (MITRE) W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee) Troj/Dorf and Mal/Dorf (Sophos) Trojan.DL.Tibs.Gen!Pac13[3] Trojan.Downloader-647 Trojan.Peacomm (Symantec) TROJ_SMALL.EDW (Trend Micro) Win32/Nuwar (ESET) Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare) W32/Zhelatin (F-Secure and Kaspersky) Trojan.Peed, Trojan.Tibs (BitDefender) The Storm Worm began infecting thousands of (mostly private) computers in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, "230 dead as storm batters Europe".[6] During the weekend there were six subsequent waves of the attack.[7] As of January 22, 2007, the Storm Worm accounted for 8% of all malware infections globally.[8] There is evidence, according to PCWorld, that the Storm Worm was of Russian origin, possibly traceable to the Russian Business Network [9] Contents [hide] 1 Ways of action 1.1 Botnetting 1.2 Rootkit 1.3 April Fool's Day 2 Feedback 3 Notes 4 External links [edit] Ways of action Originally propagated in messages about European windstorm Kyrill, the Storm Worm has been seen also in emails with the following subjects:[10] During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped Amado Hidalgo, a researcher with Symantec's security response group.[11] A killer at 11, he's free at 21 and kill again! U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel British Muslims Genocide Naked teens attack home director. 230 dead as storm batters Europe. Re: Your text Radical Muslim drinking enemies's blood. Chinese/Russian missile shot down Russian/Chinese satellite/aircraft Saddam Hussein safe and sound! Saddam Hussein alive! Venezuelan leader: "Let's the War beginning". Fidel Castro dead. If I Knew FBI vs. Facebook When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.[10] The Trojan piggybacks on the spam with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates.[11] Some of the known names for the attachments include:[10] Postcard.exe ecard.exe FullVideo.exe Full Story.exe Video.exe Read More.exe FullClip.exe GreetingPostcard.exe MoreHere.exe FlashPostcard.exe GreetingCard.exe ClickHere.exe ReadMore.exe FlashPostcard.exe FullNews.exe NflStatTracker.exe ArcadeWorld.exe ArcadeWorldGame.exe Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love". These emails contain links to websites hosting some of the following files, which are confirmed to contain the virus: with_love.exe withlove.exe love.exe frommetoyou.exe iheartyou.exe fck2008.exe fck2009.exe According to Joe Stewart, director of malware research for SecureWorks, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.[12] [edit] Botnetting Main article: Storm botnet The compromised machine becomes merged into a botnet. While most botnets are controlled through a central server, which if found can be taken down to destroy the botnet, the Storm Worm seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralized control.[7] Each compromised machine connects to a list of a subset of the entire botnet - around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet - each only has a subset, making it difficult to gauge the true extent of the zombie network.[7] On 7 September 2007, estimates of the size of the Storm botnet ranged from 1 to 10 million computers.[13] Researchers from the University of Mannheim and the Institut Eurecom have estimated concurrent online storm nodes to be between 5,000 and 40,000.[14] [edit] Rootkit Another action the Storm Worm takes is to install the rootkit Win32.agent.dh.[7] Symantec pointed out that flawed rootkit code voids some of the Storm Worm author's plans. Later variants, starting around July 2007, loaded the rootkit component by patching existing Windows drivers such as tcpip.sys and cdrom.sys with a stub of code that loads the rootkit driver module without requiring it to have an entry in the Windows driver list.[15] [edit] April Fool's Day On April 1, 2008, a new storm worm was released onto the net, with April Fools-themed subject titles.