Are You Protected from Storm Worm?
By Nowshade Kabir İRusbiz.com
A new Trojan named as "Storm Worm" has started to take the Internet by storm! This Trojan is responsible for over 17 percent of all emails generated in last couple of days and managed to infect over 1.6 million computers in first four days alone. Symantec Corporation claims that this is the biggest outbreak of a virus since sober.O came out in May of 2005.
The virus emerged on January 18, Thursday when northern Europe was hammered by hurricane-force winds and heavy precipitation, killing 27 people and disrupting travel for tens of thousands. The storms were among the worse in years and naturally people were eager to know what was happening. Preying on people's curiosity and using tabloid like headline
"230 dead as storm batters Europe" criminals dispatched hundreds of thousands of virus infected emails to unsuspecting users. The goal was to lure users into opening the emails and downloading attached files.
Over the weekend there were six subsequent waves of the attack, with each email attempting to lure users into downloading an executable by promising a topical news story. The subject line of the emails carried one of the following headlines:
- A killer at 11, he's free at 21 and kill again!
- U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
- British Muslims Genocide
- Naked teens attack home director
- 230 dead as storm batters Europe
- Re: Your text
- Radical Muslim drinking enemies's blood
- Chinese missile shot down Russian satellite
- Chinese missile shot down Russian aircraft
- Chinese missile shot down USA satellite
- Saddam Hussein alive!
- Venezuelan leader: "Let's the War beginning"
- Fidel Castro dead
Some of the e-mail messages have also been changed to prey on the romantic types. Recent versions of these Trojan e-mails have contained subject lines such as
"A Bouquet of Love",
"A Day in Bed Coupon", or
"A Monkey Rose for You".
The respective attachments with the Trojan horse malware have names like:
- Full Story.exe
- Read More.exe
The "Storm worm" contains a very large number of diverse, small quantity modifications, which were released from numerous places at the same time and in a particular sequence. By distributing so many variants simultaneously, the virus distributors attempt to jeopardize the effectiveness of signature-based anti-virus engines so that AV programs become futile in safeguarding the computers. This is creating a real problem for Anti malware vendors. Even the latest updates of an antivirus program does not guarantee full protection from increasing number of new variants of this malware.
Each of the antivirus vendors calls this Trojan by a different name.
Symantec calls it "Trojan.Peacomm", McAfee calls it "Downloader-BAI.gen and ESET calls it
How it works
Once a user downloads the attached to the infected email executable file, the program installs two .ini files, peers.ini and wincom32.ini, and a system file called wincom32.sys. This is the Trojan, and it creates a backdoor, a security hole, in the computer. This allows hackers to bypass security authentication and get remote access to the system and install a rootkit. A rootkit is a set of programs used to hack into a system and gain administrative-level access. Once a program has gained access, it can be used to monitor traffic and keystrokes; create a backdoor into the system for the hacker's to use; alter log files; attack other machines on the network; and modify existing system tools to avoid detection. Rootkits are an extreme form of System Modification Software.
After getting installed the Trojan horse seeks out five downloadable files from other computers: TROJ_AGENT.JVH, TROJ_AGENT.JVI, TROJ_AGENT.JVJ, TROJ_DORF.AA, and WORM_NUWAR.CQ. When the Rootkit is installed the compromised machine becomes a zombie in a network called a botnet. Botnet is a jargon for a collection of software robots which run autonomously. A botnet's originator can control the group remotely, usually through a means such as IRC, and use it for malicious purposes. Most botnets used for malevolent intention are currently controlled through a central server. This server is relatively easy to deactivate once found, which in turn eliminates the botnet. However, this particular Trojan embeds a new type of botnet without any one centralized server and works more like a peer-to-peer network. The other uniqueness of this virus is its ability to infect Windows Vista.
What is next?
Over the coming days there would be more attacks. Apparently, the malware distributors are using the botnets to spread spam that is designed to jack up
"pump and dump" penny stocks and various adware.
How to safeguard your computer?
If you take the following steps, your computer will be virtually safe from any similar virus attacks:
- If you have not updated your Windows system with the latest Microsoft patches, do it
- Get an Antivirus program and install it in your computer
- Regularly update your Antivirus program
- Get a firewall similar to Zonealarm or enable Windows XP's built-in firewall
- Make sure that your email filter blocks all executable mail attachments
- Scan your computer for viruses regularly
What to do if you got infected anyway?
If you got infected anyway do the followings:
- If you are using Windows Me or XP, first disable System Restore
- Update your antivirus program
- Run a complete system check-up
- Clean up the registry keys by navigating to
- Delete the two .ini files mentioned earlier
Don't become a victim! Take necessary precautions before culprits get hold of your computer.
How to Link to This Page?
To link to this page from your website, simply cut and paste the following code to your web page.
It will look like on your page as:
Are You Protected from Storm Worm?