FORCE Mig33 Community
Hello, welcome to FORCE community. Feel at home... and enjoy.

Do not forget to read forum rules.

Storm Worm Virus...

Go down

Storm Worm Virus...

Post by jkakashi01 on Wed Feb 13, 2008 1:47 pm

The Storm Worm (dubbed so by the Finnish company F-Secure) is a backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007.The worm is also known as:

Arrow Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)
Arrow CME-711 (MITRE)
Arrow W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee)
Arrow Troj/Dorf and Mal/Dorf (Sophos)
Arrow Trojan.DL.Tibs.Gen!Pac13
Arrow Trojan.Downloader-647
Arrow Trojan.Peacomm (Symantec)
Arrow TROJ_SMALL.EDW (Trend Micro)
Arrow Win32/Nuwar (ESET)
Arrow Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)
Arrow W32/Zhelatin (F-Secure and Kaspersky)
Arrow Trojan.Peed, Trojan.Tibs (BitDefender)



The Storm Worm began infecting thousands of (mostly private) computers in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, "230 dead as storm batters Europe".During the weekend there were six subsequent waves of the attack.As of Monday, January 22, the Storm Worm accounted for 8% of all infections globally.


Ways of action

Originally propagated on the heels of European windstorm Kyrill, the Storm Worm has been seen in the wild also in emails with the following subjects:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Re: Your text
Radical Muslim drinking enemies's blood.
Chinese/Russian missile shot down Chinese/Russian satellite/aircraft
Saddam Hussein safe and sound!
Saddam Hussein alive!
Venezuelan leader: "Let's the War beginning".
Fidel Castro dead.
If I Knew
When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm. The Trojan piggybacks on the spam with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates. Some of the known names for the attachments include:


Postcard.exe
ecard.exe
FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe
GreetingPostcard.exe
MoreHere.exe
FlashPostcard.exe
GreetingCard.exe
ClickHere.exe
ReadMore.exe
FlashPostcard.exe
FullNews.exe
NflStatTracker.exe
ArcadeWorld.exe
ArcadeWorldGame.exe


Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love". These emails contain links to websites hosting some of the following files, which are confirmed to contain the virus:
with_love.exe
withlove.exe
love.exe
frommetoyou.exe
iheartyou.exe
fck2008.exe
fck2009.exe


Botnetting

The compromised machine becomes merged into a botnet. While most botnets are controlled through a central server, which if found can be taken down to destroy the botnet, the Storm Worm seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralized control. Each compromised machine connects to a list of a subset of the entire botnet - around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet - each only has a subset, making it difficult to gauge the true extent of the zombie network. On 7 September 2007, estimates of the size of the Storm botnet ranged from 1 to 10 million computers. Other sources have placed the size of the botnet to be around 250,000 to 1 million.

Rootkit

Another action the Storm Worm takes is to install the rootkit Win32.agent.dh. Symantec pointed out that flawed rootkit code voids some of the Storm Worm author's plans. Later variants, starting around July 2007, loaded the rootkit component by patching existing Windows drivers such as tcpip.sys and cdrom.sys with a stub of code that loads the rootkit driver module without requiring it to have an entry in the Windows driver list.

Feedback

The list of antivirus companies that can detect the Storm Worm include Authentium, BitDefender, ClamAV, eSafe, Eset, F-Prot, F-Secure, Kaspersky, McAfee, Norman, Sophos, Symantec and Trend Micro. It should be noted that the Storm Worm is constantly being updated by its authors to evade antivirus detection, so this does not imply that all the vendors listed above are able to detect all the Storm Worm variants. An intrusion detection system offers some protection from the rootkit, as it may warn that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871. Windows 2000, Windows XP and presumably Windows Vista can be infected by all the Storm Worm variants, but Windows Server 2003 cannot, as the malware's author specifically excluded that edition of Windows from the code. Additionally, the decryption layer for some variants requires Windows API functions that are only available in Windows XP Service Pack 2 and later, effectively preventing infection on older versions of Windows.

Peter Gutmann sent an email noting Storm comprises between 1 and 10 million CPUs depending on whose estimates you believe. Although Dr Gutmann makes a hardware resource comparison between the Storm botnet and distributed memory and distributed shared memory high performance computers at TOP500 exact performance matches were not his intention - rather a more general appreciation of the botnet's size compared to other massive computing resources. Consider for example the size of the Storm botnet compared to grid computing projects such as the World Community Grid.

An article in PCWorld dated 21 October, 2007 says that a network security analyst presented findings at the Toorcon hacker conference in San Diego on 20-Oct-07, saying that Storm is down to about 20,000 active hosts or about one-tenth of its former size. However, this is being disputed by security researcher Bruce Schneier, who notes that the network is being partitioned in order to sell the parts off independently.



banana jive banana
avatar
jkakashi01
Tech Moderator
Tech Moderator

Mig33 ID : red.hot_force k_a_k_a_s_h_i.01
Location : Philippines
Mood :

Character sheet
Skill: Chatter

Back to top Go down

Re: Storm Worm Virus...

Post by carelyn on Thu Feb 14, 2008 5:41 pm

very informative post bro. jkakashi...i was once infected by trojan virus and was glad that it was treated...but i need to reformat my pc inorder to completely clean my pc from infection! keep on sharing bro. Very Happy

_________________
avatar
carelyn
Site Administrator
Site Administrator

Mig33 ID : care-t0-inspire, inspire_force
Location : Israel
Mood :

Character sheet
Skill: Chatter

http://migforce.peperonity.com

Back to top Go down

Re: Storm Worm Virus...

Post by papa_cologne on Sat Feb 16, 2008 12:59 pm

for virus, trojans, worm, malware and brontok problem i recommend Kaspersky Anti Virus

http://www.mybittorrent.com/info/708111/

_________________
Bless the man if his heart and his land are one!! 3 Stars and a Sun!!!

avatar
papa_cologne
SoftLoader
SoftLoader

Mig33 ID : papa_cologne®™
Location : al-kharj,ksa
Mood :

Character sheet
Skill: Chatter

Back to top Go down

Re: Storm Worm Virus...

Post by carelyn on Sat Feb 16, 2008 6:30 pm

thanks bro. papa...i'm downloading the file but it's too slow...i think it will take me 1 week to download the 22mb file lol smash jukz!hehehe!

_________________
avatar
carelyn
Site Administrator
Site Administrator

Mig33 ID : care-t0-inspire, inspire_force
Location : Israel
Mood :

Character sheet
Skill: Chatter

http://migforce.peperonity.com

Back to top Go down

Re: Storm Worm Virus...

Post by papa_cologne on Sat Feb 16, 2008 8:29 pm

inspire wrote:thanks bro. papa...i'm downloading the file but it's too slow...i think it will take me 1 week to download the 22mb file lol smash jukz!hehehe!




finish downloading cz inspire???

_________________
Bless the man if his heart and his land are one!! 3 Stars and a Sun!!!

avatar
papa_cologne
SoftLoader
SoftLoader

Mig33 ID : papa_cologne®™
Location : al-kharj,ksa
Mood :

Character sheet
Skill: Chatter

Back to top Go down

Re: Storm Worm Virus...

Post by carelyn on Mon Feb 18, 2008 1:34 am

sad to say no bro. papa, it's too slow Crying or Very sad i will just buy the full version for my person use... Very Happy

_________________
avatar
carelyn
Site Administrator
Site Administrator

Mig33 ID : care-t0-inspire, inspire_force
Location : Israel
Mood :

Character sheet
Skill: Chatter

http://migforce.peperonity.com

Back to top Go down

re: Storm Worm Virus...

Post by jh0s3ph on Fri Feb 22, 2008 2:37 am

GUYS THANK YOU FOR SHARING US THIS VERY IMPORTANT INFORMATION,SO FAR IVE NOT YET AFFECTED BY VIRUS... GUYS KEEP SHARING YOUR KNOWLEDGE TO US... MORE POWER TO YOU AND GOD BLESS
avatar
jh0s3ph
Master Initiator
Master Initiator

Mig33 ID : sp4rr0w.unit
Location : k . S . a
Mood :

Character sheet
Skill: Chatter

Back to top Go down

Re: Storm Worm Virus...

Post by pegasus202 on Fri Feb 22, 2008 7:51 pm

Wpg virus provided the ideal environment in which to connect quickly and effictively with elusive c level decision.
avatar
pegasus202
VIP Member
VIP Member

Mig33 ID : prince.william_force, pegasus202 p-e-g-a-s-u-s-2-0-2
Location : canada
Mood :

Character sheet
Skill: Chatter

Back to top Go down

Re: Storm Worm Virus...

Post by Sponsored content


Sponsored content


Back to top Go down

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum