SysChat is a free online computer support community. Ask questions, share resources, contribute knowledge and discuss technology. Join our growing community to access all features. Register Now!

SysChat » Tutorials » Security » The Strom Worm

Security

Guides and tutorials on computer security, antivirus, antispyware, malware, parental control, and privacy protection

Comment
 
LinkBack Tutorial Tools
The Strom Worm

The Strom Worm

Published by DanielGray
08-31-2009

Bug The Strom Worm

The Storm worm uses the backdoor to infiltrate a target system. The threat which according to other reports uses various aliases such as: Small.dam, Trojan.PeaComm, Tibs Trojan, Peed.Trojan, or Downloader-BAI.

This particular threat generally infects private computers within US and Europe. It propagates through e-mails as a spam and uses specific subject to trick the user into opening the e-mail message. According to some reports, this threat was accountable for 8% global infection using these subsequent actions; April Fool’s Day attack, Botnetting and Rootkit.

When the Storm Worm is opened, it automatically establishes a service known as Wincom32, and infuses unwanted applications. It might also download and execute the W32.Mixor.Q@mm worm and Trojan.Abwiz.F. These variants use the following files to trick the user: Postcard.exe, FlashPostcard.exe, eCard.exe, Full Story.exe, ArcadeWorld.exe, ReadMore.exe, FullClip.exe, and GrettingPostCard.exe to name a few. The Storm Worm is resilient that is due to its capability to alter its packing code for every 10 minutes, it utilizes fast flux in able to alter the IP addresses for its control and command server.

The Storm Worm automatically injects a botnet without the control of a server. The contaminated system links to other compromised machine which operates as a host to other threats. The other action used by Strom Worm is the rootkit, which installs an agent into the target system. It patches Windows drivers such as cdrom.sys and tcpip.sys using a codec that loads Strom Worm rootkit driver automatically.

When this threat discovers a target system, it replicates itself onto the system and automatically run its application, making the machine a zombie. The worm adds the following registry keys: HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices, and HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. The Strom Worm inserts the value: \ winnt \ system32\ storm \ start.bat. The Strom Worm will eventually initiate a Denial-of-Service attack against Microsoft, and Email bombing.

According to experts, it is advisable to turn on the firewall to be able to block malicious connections. It is also necessary to implement password policy. This would help limit the damage on compromised system. Remove all unnecessary services. It is highly recommended to maintain the patch level updated. Organize the email server to be able to block EXE, BAT, SCR, VBS and PIF files.

To remove the Storm Worm, delete all files link to the threat. Scan the entire system and remove all contaminated files including the registry values and keys.


Comment




Tutorial Tools

Similar Threads
Tutorial Tutorial Starter Category Comments Last Post
Conflictor C worm WARNING lurkswithin Security 4 04-04-2009 07:26 PM
Re: rar file with worm edlal Computer Security 3 01-16-2007 05:54 PM
New Bagle Email Worm Spreading via Encrypted Zip File Sami News 0 06-22-2006 01:37 AM
Yahoo Messenger worm Installs Unsafe "Safety Browser" Sami News 0 05-22-2006 12:30 AM
Feebs Worm Spreads via email, P2P and More Sami News 0 04-23-2006 01:51 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are on



» Ads



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54