Sunshine on a stormy day
Friday, July 20. 2007
Storm Worm (aka Peacomm) is presumably one of the most successful bots nowadays. It uses P2P (modified edonkey protocol) for communication and is spreading since February this year. If you take a look at your spam mails, you will find mails which inform you about ecards received from various sites, e.g.:
The link in the mail sends you to a Storm infected host. Once you click on the link, you see the following text in your browser:
Besides this text, the web site also contains an obfuscated browser exploit if you use Internet Explorer. If you click on the link on that web site, a file called ecard.exe (depending on the current spam run) is installed on your machine. The executable installs a kernel driver, drops an ini-file with a list of initial peers in the Windows folder, and then tries to contact these peers in order to get an updated list of peers. Once the bot is part of the botnet, it receives updates, spam templates, and DDoS commands via the search functionality of the edonkey protocol. I'll post more about Storm in the next couple of days...
And to get finally back to the topic of this posting: the fine guys at MW-Blog have just released a removal tool for Storm Worm.
Hi. Friend has sent you an ecard.
See your card as often as you wish during the next 15 days.
SEEING YOUR CARD
If your email software creates links to Web pages, click on your
card's direct www address below while you are connected to the Internet:
http:///?
Or copy and paste it into your browser's "Location" box (where Internet
addresses go).
We hope you enjoy your awesome card.
Wishing you the best,
Postmaster,
postcard.com
The link in the mail sends you to a Storm infected host. Once you click on the link, you see the following text in your browser:
Your Download Should Begin Shortly. If your download does not start in approximately 15 seconds, you can click here to launch the download.
Besides this text, the web site also contains an obfuscated browser exploit if you use Internet Explorer. If you click on the link on that web site, a file called ecard.exe (depending on the current spam run) is installed on your machine. The executable installs a kernel driver, drops an ini-file with a list of initial peers in the Windows folder, and then tries to contact these peers in order to get an updated list of peers. Once the bot is part of the botnet, it receives updates, spam templates, and DDoS commands via the search functionality of the edonkey protocol. I'll post more about Storm in the next couple of days...
And to get finally back to the topic of this posting: the fine guys at MW-Blog have just released a removal tool for Storm Worm.
".
