SVPAL: Storm Trojan

Storm Trojan

Storm Email Trojan

The Storm email trojan (sometimes referred to as a worm or virus) is distributed via email and tries to lure users into clicking a link that downloads the trojan onto their computer. Unlike most previous virus/worms/trojans, the Storm worm is not part of the email message, but is instead stored on infected web sites. This means that simply scanning the email for the trojan does not work. Many anti-virus scanners have adapted to this technique by providing the option to scan links in email before they are downloaded. However the Storm trojan evades this by mutating itself on a regular basis. This leaves all the anti-virus scanning products to catch up and leaves users vulnerable for hours or days at a time.

US Cert Advisory

Several New Storm Worm Trojan Propagation Techniques

added August 21, 2007 at 03:58 pm

US-CERT is aware of several new propagation techniques being used by the Storm Worm Trojan to spread. The new variants arrive as either an email message claiming to contain a link to adult pictures, or as credentials for a membership-based website, asking you to login to change your temporary ID and password. The messages contain links to malicious websites that when visited, install malware on the user's system.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:

Do not follow unsolicited links.
Install anti-virus software, and keep its virus signature files up-to-date.
Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Vulnerable Systems

This worm only affects users running Windows 95, 98, NT, Me, 2000, XP, and possibly Vista.

Impact

This trojan downloads and installs other malware that enlists your computer into a botnet. This botnet is used to send SPAM, host malware and engage in other maliscious activity.

What to Look For

The trojan arrives in email. An example of one seen on SVPAL:

Date: Wed, 22 Aug 2007 01:20:30 -0700
From: Pet World 
To: janedoer@svpal.org
Subject: Registration Details

Welcome Member,

Thank You for Joining Pet World.

Confirmation Number: 978459552
Your Temp. Login ID: user7754
Temp Password ID: gts89

This Login Info will expire in 24 hours. Please Change it.

Follow this link, or paste it in your browser: http://88.55.95.49/

Enjoy,
Membership Support Department
Pet World

Note that the exact message varies but follows this form. Expect this trojan to mutate in order to keep tricking users into installing it.

Solutions

See Microsoft's Windows Update web site for easy updating of your Microsoft software. Install a virus scanner to provide additional protection. You may need to start your computer in safe mode to successfully run your virus scanner. Check your virus software documentation for details on how to scan and remove virus infections.

For more information

Check the CERT Coordination Center for more information on this worm. Or check SVPAL's virus page for me general virus protection information.

[SVPAL Home] [Subscriber]

Contact Silicon Valley Public Access Link
Last updated: August 22, 2007