The Storm Worm is back

i'm infected i think, 4 processes 2 say stripshow1,2 2 say virus storm! how on earth did it get there? my mcafee does not detect! but virus total detect with mcafee! help!!!!

 

Probably the rootkit has made your McAfee blind.

 

My guess is that FDISR will catch these constantly changing executables also, because they don't belong in the original archive.

 

All the objects installed by the downloader/dropper will be removed by FD-ISR in the next reboot.

 

"Polymorphic means that the executable is constantly changing".


you mean as opposed to always saying or doing the same thing ?

 

Polymorphic means that each sample of this malware, while doing the same things (installing a rootkit, initiating outbound connections, etc) is different from the code's point of view. New variants are released within minutes of each other having subtle modifications in the code and using a slightly different version of a custom-made runtime packer.
All this work is to bypass generic signatures, heuristics (both static and dynamic) and detection of the special runtime packer. Eventually, they produce samples that pass undetected by all AVs, leaving the user "naked" (i.e. should I click on that link or should I double-click clip.mpg.exe)

 

LOL

 

Now that I updated drw it doesn't detect it anymore, it was Trojan.Packed.262 for a while but nothing after update. That detection was deleted and then corrected when I checked live.drweb.com. Weird

 

Custom packer that allow authors to repack trojan in a polymorphic way from server.
Every X minutes trojan is repacked from server using different keys in a way that almost whole trojan code doesn't look anymore the same.

 

I LOLed.

Yep, that instead of taking some time to actually learn the basics.

 

Hi folks(merry xmas all!)

Possibly something particular to my setup but have any of you seen the rootkit payload recently being deployed ?

The last few evo's for me have dropped the principal exe & config file in the <windir> but the .sys component has gone AWOL....

 

not any more! But updates came in today and virustotal detected with mcafee yesterday! Mcafee obviously does not seem to care about their customers!

 

New wave on the road

 

Happy2008.exe ?

BTW Are you getting beep.sys modification because it's not firing for me despite what i'm reading elsewhere

 

Symantec identifies it as a variant of Trojan.Peacomm.D. Not that I am stupid enough to click on EXE attachments in an email, lol.

 

Got it right, thanks Marco

It's bothersome that such stupid trick is so effective
It also shows you that security-savvy people need few security software
Your Symantec link points to a new reply to this thread LOL

 

Doh!! Dang sinus meds Link fixed

 

The fewer the better

 

I would open it, in the sandbox.

 

@fd....told you sp1 was killin ya!

 

Thanks C

Upgrade now in progress...

Sp2 has landed

 

another new variant, 2nd today

 

Yea I just downloaded a new varient. Detected as Rootkit.gen by Antivir, Spambot origin by Dr Web. Missed by KAV but I have sent on a sample on to them (Although sure they will get it from VirusTotal)

Anyone know if the proactive defense in KAV 7 protects against this if missed by heuristics?

Cheers. Jlo

Merry Christmas!

 

Now detected by KAV as backdoor.win32.agent.

Also I asked the question regarding Proactive defense at the KAV forum and am told KAV would stop the storm varients being installed if a user clicked on the file. Good to know!

Cheers

Jlo

 

hmmm, stormlaunchers website seems to have changed after christmas! there is no mrs clause any more.