SysChat

SysChat (http://www.syschat.com/forum.php)
-   Security (http://www.syschat.com/tutorials/security/)
-   -   The Strom Worm (http://www.syschat.com/the-strom-worm-4912.html)

DanielGray 08-31-2009 10:34 PM
The Strom Worm
 
The Storm worm uses the backdoor to infiltrate a target system. The threat which according to other reports uses various aliases such as: Small.dam, Trojan.PeaComm, Tibs Trojan, Peed.Trojan, or Downloader-BAI.

This particular threat generally infects private computers within US and Europe. It propagates through e-mails as a spam and uses specific subject to trick the user into opening the e-mail message. According to some reports, this threat was accountable for 8% global infection using these subsequent actions; April Fool’s Day attack, Botnetting and Rootkit.

When the Storm Worm is opened, it automatically establishes a service known as Wincom32, and infuses unwanted applications. It might also download and execute the W32.Mixor.Q@mm worm and Trojan.Abwiz.F. These variants use the following files to trick the user: Postcard.exe, FlashPostcard.exe, eCard.exe, Full Story.exe, ArcadeWorld.exe, ReadMore.exe, FullClip.exe, and GrettingPostCard.exe to name a few. The Storm Worm is resilient that is due to its capability to alter its packing code for every 10 minutes, it utilizes fast flux in able to alter the IP addresses for its control and command server.

The Storm Worm automatically injects a botnet without the control of a server. The contaminated system links to other compromised machine which operates as a host to other threats. The other action used by Strom Worm is the rootkit, which installs an agent into the target system. It patches Windows drivers such as cdrom.sys and tcpip.sys using a codec that loads Strom Worm rootkit driver automatically.

When this threat discovers a target system, it replicates itself onto the system and automatically run its application, making the machine a zombie. The worm adds the following registry keys: HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ RunServices, and HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run. The Strom Worm inserts the value: \ winnt \ system32\ storm \ start.bat. The Strom Worm will eventually initiate a Denial-of-Service attack against Microsoft, and Email bombing.

According to experts, it is advisable to turn on the firewall to be able to block malicious connections. It is also necessary to implement password policy. This would help limit the damage on compromised system. Remove all unnecessary services. It is highly recommended to maintain the patch level updated. Organize the email server to be able to block EXE, BAT, SCR, VBS and PIF files.

To remove the Storm Worm, delete all files link to the threat. Scan the entire system and remove all contaminated files including the registry values and keys.


All times are GMT -4. The time now is 07:28 PM.


Copyright © 2005-2013 SysChat.com


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54