The Storm Worm is back

Discussion in 'malware problems & news' started by Malcontent, Dec 24, 2007.

Thread Status:
Not open for further replies.
  1. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    451
    Location:
    Cleveland, Ohio USA
    http://asert.arbornetworks.com/2007/12/storm-is-back-dude/

    http://www.disog.org/2007/12/stormworm-is-back-have-merry-christmas.html
     
    Last edited by a moderator: Dec 24, 2007
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    It never really went away. The botnet is more or less active, or so I've heard.

    Most major vendors have updated bases by now; shame on Eset, though. ThreatFire, as usual, stops this thing dead cold without having to wait for updates.
     

    Attached Files:

    • tf.PNG
      tf.PNG
      File size:
      27.9 KB
      Views:
      1,039
  3. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    avast! and AntiVir are detecting it too for quiet some time now...
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    Why would anyone want to open a file called stripshow.exe?
    Mrk
     
  5. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    'tis the season to be jolly?:D
     
  6. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    People open anything as long as it's attached to e-mail message...
    Thats a known fact...
     
  7. gates

    gates Registered Member

    Joined:
    Sep 2, 2005
    Posts:
    59
  8. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
  9. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Nah,can't imagine why any young str8 male would want to open that!(lol)
     
  10. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    hmm i see no mention on kaspersky's site yet...
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    stripshow.exe = unauthorized executable.
     
  12. dan_maran

    dan_maran Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    1,053
    Location:
    Stamford, CT
    Nice to see they left the credits in the snow script! HAHAHA

     
  13. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,408
    Nice to know. :)

    Good point. :D

    Exactly. :cool:
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
  15. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    Dr.Web detects it under name Trojan.Packed.262
     
  16. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    And a suspicious attachment that you shouldn't open. Probably, it's distributed in spam which should be deleted as soon as it's received.
    Layers of security before the security software ;)
     
  17. plantextract

    plantextract Registered Member

    Joined:
    Feb 13, 2007
    Posts:
    392
    they detect it. the latest one i tried: Email-Worm.Win32.Zhelatin.pd
     
  18. rayoflight

    rayoflight Registered Member

    Joined:
    Jun 8, 2006
    Posts:
    180
    ThreatFire free or paid?
     
  19. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Both. The paid version shares the same behav. blocking engine with the free version.
     
  20. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    New one is just detected by their heuristic engine :)

    They are releasing so many variants, it's quite difficult get to rid of them because of their polymorphic layer
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Polymorphic layer = custom-made packer?
     
  22. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    seems unlikely. during the last big outbreak of storm/nuwar NOD32 was heuristically detecting all the ones i came across. I submitted some that i found that weren't detected and these were damaged files that were detected by other AVs.
     
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I wonder if a Polymorphic layer is a problem for FDISR, because FDISR works differently than other ISR-softwares.
    FDISR adds, removes and replaces objects to undo changes.
     
  24. ASpace

    ASpace Guest

    The last Nuwar/Storm page
     

    Attached Files:

  25. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Polymorphic means that the executable is constantly changing, giving a hard time to viruslabs to make signatures to catch all the variants.
     
Loading...
Thread Status:
Not open for further replies.