CNET Security Center: Your complete source of antivirus and Internet security information.

QUICK FACTS

Name: Storm worm; also known as Small (Kaspersky and Trend Micro), Downloader (McAfee), Peacomm (Symantec)

Date first reported: 04/12/07

CME Number: CME-711

Software vulnerable: Microsoft Windows

What it does: Installs a rootkit and communicates updates via peer-to-peer connections

Recommendations: Avoid opening e-mail attachments without first scanning them for viruses.

Exploit code available: N/A

Vendor patch available: N/A

According to Ken Dunham of iDefense, this new variant worm includes antisecurity measures to hinder analysis, and it sends out copies of itself inside of a password-protected ZIP file to evade antivirus detection. Unfortunately, to further evade detection, the e-mails sent are randomized with different file names, different passwords, and different binaries within the ZIP file.

According to one source, the subject lines include:

"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Virus Activity Detected!"

According to SANS Internet Storm Center, the ZIP files appear to be named:

"patch-(random 4 or 5 digit number).zip"
"bugfix-(random 4 or 5 digit number).zip"
"hotfix-(random 4 or 5 digit number).zip"
"removal-(random 4 or 5 digit number).zip"

Once executed, the new variant worm installs a rootkit on the infected system and communicates over a private peer-to-peer (P2P) network to update itself. This latest variation may be laying the groundwork for even more attacks in the near future, launching future releases from those machines already infected.

Additional resources

Trend Micro: Nuwar.AOP

Mitre.org Common Malware Enumeration: CME-711