• On The Insider: Britney's Bikini-Clad Top 10
April 12, 2007 2:36 PM PDT

Storm Worm strikes again

by Robert Vamosi
  • Font size
  • Print
A new variant of the Storm Worm (aka Snow Worm) is slamming into e-mail inboxes worldwide as an apparent patch or fix for a recent worm attack. The latest variant appears to ride on the coattails of worm that Trend Micro calls Nuwar.AOP.The Trojan part of this worm is known as Small (Kaspersky and Trend Micro), Downloader (McAfee), Peacomm (Symantec), and officially by the designation CME (Common Malware Enumeration) 711.

According to Ken Dunham of iDefense, this new variant worm includes anti-security measures to hinder analysis, and sends out copies of itself inside of a password protected ZIP file to evade anti-virus detection. Unfortunately, to further evade detection the e-mails sent are randomized with different filenames, different passwords, and different binaries within the ZIP file.

According to one source, the subject lines include:

"Worm Alert!"
"Worm Detected"
"Virus Alert"
"ATTN!"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Virus Activity Detected!"

According to SANS Internet Storm Center, the zip files appear to be named:

"patch-(random 4 or 5 digit number).zip"
"bugfix-(random 4 or 5 digit number).zip"
"hotfix-(random 4 or 5 digit number).zip"
"removal-(random 4 or 5 digit number).zip"

Once executed the new variant worm installs a rootkit on the infected system and communicates over a private peer-to-peer (P2P) network to update itself. This latest variation may be laying the groundwork for even more attacks in the near future, launching future releases from those machines already infected.

Additional Resources

Trend Micro: Nuwar.AOO

Mitre.org Common Malware Enumeration: CME-711

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Rootkits

Tags:

virus,

rootkit

Share:
Digg
Del.icio.us
Reddit
Recent posts from Zero Days
Microsoft fixes nineteen flaws in seven patches; all are considered critical updates
Storm Worm strikes again
Windows dynamic DNS update mechanism
Windows Web Proxy Autodiscovery flaw
Windows animated cursor attack
Update for Internet Explorer 7
Integer overflow in Microsoft Internet Explorer 6
Internet Explorer "FolderItem" Object Access Remote Denial of Service Vulnerability
advertisement

About Zero Days

Zero Days are security threats released before or concurrent with the public disclosure of software vulnerabilities. Our new blog will keep you ahead of the criminal hackers by informing you what you are up against.

Add this feed to your online news reader

Zero Days topics

Reviews & advice
Site map
Editorial policies
Meet the editors
How we test
Forums
Internet speed test
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET
sponsored