Storm Worm, GIFs, Passwords, Zips and Alerts

I spent a good portion of my day watching the Storm worm mutate from EXEs being spammed through to ZIP files in password protected bodies. This is a change in tactics for the Storm Worm team and has proven to be effective at evading AV. The Storm Worm is malware designed to install spammer toolkits.

Throughout the past day, the Storm Team has been flooding the world with their spams. The attachment is the bootstrap code for the malware, and downloads and installs a few components. The emails that were going out starting in the late morning, early afternoon on the east coast look similar to the one below. Note that the text in the message is actually a GIF attachment.

Storm Worm Body

There was some confusion throughout the day because these new payloads and tactics were being used, AV wasn’t catching it, and vendors have a dozen names for this threat. That said, once we started to analyze it, sure enough it was the Storm Worm, our old friend. Note that we saw Storm this past weekend in “Iran-US War” messages as its hook. This is a new change for the team, moving beyond news events and into the typical tactics used by Bagle and Mydoom. This rootkit analysis report from a third party tool shows us how it hides itself on the machine with a kernel driver (the .sys file) and registry entries.

Storm Worm Hidden Files

AV detection has been improving all day, as we shared samples throughout the community (and info, as well). If you need to block patterns of messages for this, try blocking messages containing the following:

  • a GIF attachment as attachment 1
  • A password protected ZIP as attachment 2

That combination has been seeded heavily in the past 12-18 hours. A friend from an email security company says that they’re seeing more hits for this variant than previous variants.

Updated April 13
Links around the net:

  • sandbox analysis in the Anubis system
  • Storm Worm blows up, breaks records, at InfoWorld.
  • Consumer alert: Massive virus outbreak, from PCWorld
  • Malicious worm detected! No, really!, from the Trend Micro blog.
  • Nurech.Z from the PandaLabs blog

2 Responses to “Storm Worm, GIFs, Passwords, Zips and Alerts”

April 25, 2007 at 2:04 pm, Peacomm RARs Its Ugly Head · Security to the Core | Arbor Networks Security Blog said:

[…] Last evening we started seeing a stream of new malware that was a lot like the recent Storm ZIP run on about April 12. All of this malware is related to CME-711. This time we see a few changes: […]

June 29, 2007 at 12:32 pm, You Got Postcard Malware · Security to the Core | Arbor Networks Security Blog said:

[…] If you actually get hit, your box will ping the web server (/aff/cntr.php) start to download the Peacomm components, like /aff/dir/sony.exe , /aff/dir/logi.exe, and /aff/dir/pdp.exe. I’ve written a bit about The Storm Worm, Peacomm in ZIPs, and Peacomm in RAR files recently. […]

Comments are closed.