1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

Storm Worm



Storm Worm

Also known as:

Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Email-Worm.Win32.Zhelatin.a (Kaspersky), Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW (Trend Micro), Win32/Nuwar.N@MM (Microsoft)


Email worm, Trojan, Downloader


January 19, 2007

Method of Propagation:

The Storm worm spreads via email, using a variety of subject lines and message text that may masquerade as news articles or other current events. For example, subject lines in the Storm email may be named one of the following:

A killer at 11, he's free at 21 and kill again!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor
Angela Merkel
British Muslims Genocide
Naked teens attack home director.
230 dead as storm batters Europe.
Radical Muslim drinking enemies's blood.
Chinese missile shot down Russian satellite
Saddam Hussein alive!
Venezuelan leader: "Let's the War beginning".
Fidel Castro dead.

The attachment carried by the Storm worm may be named one of the following:

Full Story.exe
Read More.exe

Symptoms of Infection:

Note: There are dozens of variants of the Storm worm. The following technical details may not apply to each of them. To determine whether a Storm worm infection is present, scan your systems with up-to-date antivirus software.

System Impact:
The Storm email worm may drop the the file 'wincom32.exe' into the Windows system directory (typically, C:\Windows\System under Windows 95/98/ME, C:\Winnt\System32 under Windows NT/2000, and C:\Windows\System32 under Windows XP.

The Storm worm loads the dropped wincom32.exe as a device driver by modifying the registry as follows:

This device driver injects a module into the services.exe process, sets up a peer-to-peer filesharing network on infected systems, and opens and listens for commands on UDP port 4000, 7871, and 11271.

The Storm worm then downloads files from various remote IP addresses and executes those files on the local system.

Removal Notes:
The Storm worm is rootkit enabled and may hide files and processes associated with it and other malware it downloads. To remove the worm and other installed malware, scan the system using up-to-date antivirus software.

©2014 About.com. All rights reserved.