1. Computing

Storm Worm

By

Name:

Storm Worm

Also known as:

Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Email-Worm.Win32.Zhelatin.a (Kaspersky), Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW (Trend Micro), Win32/Nuwar.N@MM (Microsoft)

Type:

Email worm, Trojan, Downloader

Discovered:

January 19, 2007

Method of Propagation:

The Storm worm spreads via email, using a variety of subject lines and message text that may masquerade as news articles or other current events. For example, subject lines in the Storm email may be named one of the following:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor
Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Radical Muslim drinking enemies's blood.
Chinese missile shot down Russian satellite
Saddam Hussein alive!
Venezuelan leader: "Let's the War beginning".
Fidel Castro dead.

The attachment carried by the Storm worm may be named one of the following:

FullVideo.exe
Full Story.exe
Video.exe
Read More.exe
FullClip.exe
GreetingPostcard.exe
MoreHere.exe
FlashPostcard.exe
GreetingCard.exe
ClickHere.exe
ReadMore.exe
FlashPostcard.exe
FullNews.exe

Symptoms of Infection:

Note: There are dozens of variants of the Storm worm. The following technical details may not apply to each of them. To determine whether a Storm worm infection is present, scan your systems with up-to-date antivirus software.

System Impact:
The Storm email worm may drop the the file 'wincom32.exe' into the Windows system directory (typically, C:\Windows\System under Windows 95/98/ME, C:\Winnt\System32 under Windows NT/2000, and C:\Windows\System32 under Windows XP.

The Storm worm loads the dropped wincom32.exe as a device driver by modifying the registry as follows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32

This device driver injects a module into the services.exe process, sets up a peer-to-peer filesharing network on infected systems, and opens and listens for commands on UDP port 4000, 7871, and 11271.

The Storm worm then downloads files from various remote IP addresses and executes those files on the local system.

Removal Notes:
The Storm worm is rootkit enabled and may hide files and processes associated with it and other malware it downloads. To remove the worm and other installed malware, scan the system using up-to-date antivirus software.

©2014 About.com. All rights reserved.