Posted on Monday, March 31st, 2008 | Bookmark on del.icio.us

April Storm’s Day Campaign

by Jose Nazario

The Storm Worm is out and about with a new lure campaign, this one centered on the April Fool’s Day holiday tomorrow. The campaign appears to have started in the past few hours, and reports indicate it was in preparation for the past 24 hours or so. Example messages look like this:

Doh! April’s Fool. http://86.121.253.168/

So raw IPs as the URL. No major changes, but here are the specifics for this variant:

  • Peerlist: C:\WINDOWS\aromis.config
  • Installs as: C:\WINDOWS\aromis.exe
  • As always, listens on a random UDP port, makes a lot of outbound connections, allows itself to the firewall via “netsh firewall set” and via the registry, uses w32tm to update its clock, and so on.

StormAprilFools08

This entry was posted on Monday, March 31st, 2008 at 2:28 pm and is filed under Botnets, Malware, Spam. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

7 Responses | Add your own



Comment Post by: Storm Worm/Zhelatin -A very dangerous April Fools joke that’s on you | malwarecrawler.com — March 31st, 2008 @ 4:33 pm EST  Reply

[…] Credits for heads up to Alex Eckelberry of Sunbelt Software and Jose Nazario from Arbor Networks […]

Comment Post by: » No joke: Storm worm taking advantage of April Fools’ Day » The PC Doctor’s blog — March 31st, 2008 @ 7:40 pm EST  Reply

[…] Arbor Networks […]

Comment Post by: Business News Research » No April Fools’–Storm worm is back | Defense in Depth - computer security, hacking, crime, viruses — April 1st, 2008 @ 12:20 am EST  Reply

[…] a blog, Arbor Networks’ Jose Nazario reports that within the last 24 hours he’s seeing new […]

Comment Post by: veil_of_darkness — April 1st, 2008 @ 9:22 am EST  Reply

http://www.offensivecomputing.net - Oops :P

Comment Post by: Storm Worms exploit April Fools - Computer Forums — April 1st, 2008 @ 11:21 am EST  Reply

[…] attempt to dupe more gullible users into getting their PCs infected kicked off on Monday with a spam campaign designed to trick recipients into visiting websites under the control of hackers containing […]

Comment Post by: Storm Worm makes April 1 return - HardwareLogic Forums — April 1st, 2008 @ 9:47 pm EST  Reply

[…] Storm is back, reports security firm Arbor Networks, and dressed to kill in its April Fools’ outfit. Arbor Networks blogger Jose Nazario notes that Storm’s latest variant began appearing sometime during March 31, greeting users with a simple “Doh! April’s Fool. (sic)” message that hyperlinks to an IP address. Users clicking the link are taken to a web page with a cute picture and an automatic download, prompting them to run the download as soon as it completes. If the user follows these directions, he or she will find his or her computer added to the decentralized Storm botnet, which security analysts think contains anywhere from 20,000 to 10 million computers. April Fools’ Day is only the latest such occasion to be exploited by Storm, which in the past has sent out e-mail messages with headlines like, “Saddam Hussein alive!” and “Fidel Castro dead.” The original Storm variant earned it namesake in January 2007, when it infected thousands of computers in the United States and Europe with the headline “230 dead as storm batters Europe.” Six more waves appeared within three days of the worm’s initial attack, and by January 22 the Storm Worm was responsible for 8% of virus infections around the world. Thanks HL and Corsair! My opinions are my own and not representative of this site or its members. […]

Comment Post by: TechTalkz.com Technology & Computer Troubleshooting Forums — April 2nd, 2008 @ 12:48 am EST  Reply

Alert:Storm Worm Returns using the April Fool messages…

Storm is back, reports security firm Arbor Networks, and dressed to kill in its April Fools……

Leave a Comment