The Storm Worm is back

Discussion in 'malware problems & news' started by Malcontent, Dec 24, 2007.

Thread Status:
Not open for further replies.
  1. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    606
    Location:
    Cleveland, Ohio USA
    http://asert.arbornetworks.com/2007/12/storm-is-back-dude/

    http://www.disog.org/2007/12/stormworm-is-back-have-merry-christmas.html
     
    Last edited by a moderator: Dec 24, 2007
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    It never really went away. The botnet is more or less active, or so I've heard.

    Most major vendors have updated bases by now; shame on Eset, though. ThreatFire, as usual, stops this thing dead cold without having to wait for updates.
     

    Attached Files:

    • tf.PNG
      tf.PNG
      File size:
      27.9 KB
      Views:
      1,040
  3. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    avast! and AntiVir are detecting it too for quiet some time now...
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Why would anyone want to open a file called stripshow.exe?
    Mrk
     
  5. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    'tis the season to be jolly?:D
     
  6. RejZoR

    RejZoR Lurker

    Joined:
    May 31, 2004
    Posts:
    6,426
    People open anything as long as it's attached to e-mail message...
    Thats a known fact...
     
  7. gates

    gates Registered Member

    Joined:
    Sep 2, 2005
    Posts:
    59
  8. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
  9. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Nah,can't imagine why any young str8 male would want to open that!(lol)
     
  10. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    hmm i see no mention on kaspersky's site yet...
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    stripshow.exe = unauthorized executable.
     
  12. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    98031
    Nice to see they left the credits in the snow script! HAHAHA

     
  13. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    Nice to know. :)

    Good point. :D

    Exactly. :cool:
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
  15. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    Dr.Web detects it under name Trojan.Packed.262
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    And a suspicious attachment that you shouldn't open. Probably, it's distributed in spam which should be deleted as soon as it's received.
    Layers of security before the security software ;)
     
  17. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    they detect it. the latest one i tried: Email-Worm.Win32.Zhelatin.pd
     
  18. rayoflight

    rayoflight Registered Member

    Joined:
    Jun 8, 2006
    Posts:
    180
    ThreatFire free or paid?
     
  19. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Both. The paid version shares the same behav. blocking engine with the free version.
     
  20. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    New one is just detected by their heuristic engine :)

    They are releasing so many variants, it's quite difficult get to rid of them because of their polymorphic layer
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Polymorphic layer = custom-made packer?
     
  22. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    seems unlikely. during the last big outbreak of storm/nuwar NOD32 was heuristically detecting all the ones i came across. I submitted some that i found that weren't detected and these were damaged files that were detected by other AVs.
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I wonder if a Polymorphic layer is a problem for FDISR, because FDISR works differently than other ISR-softwares.
    FDISR adds, removes and replaces objects to undo changes.
     
  24. ASpace

    ASpace Guest

    The last Nuwar/Storm page
     

    Attached Files:

  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Polymorphic means that the executable is constantly changing, giving a hard time to viruslabs to make signatures to catch all the variants.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.