If you haven’t heard already there’s an old worm in town with several new variants. This is not w32.storm.wrom, so don’t get all confused by the name. As per some recent articles, here is just how naughty this little worm is (my comments in RED):
The “Official” Definition:
1st The Wiki: The Storm Worm (dubbed so by Finnish company F-Secure, alias: Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13[1]; other names, given by antivirus vendors: Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW or CME-711 (Trend Micro), Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)) is a backdoor[2][3] Trojan horse, identified as Small.dam,[1][4][5] discovered on January 17, 2007.[1] The Storm Worm infected thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007 using a topical e-mail message with the subject “230 dead as storm batters Europe”.[6][7] During the weekend there were six subsequent waves of the attack.[8] As of Monday, January 22, the Storm Worm accounted for 8% of all infections globally.[9]
[...]
When an attachment is opened(!not anymore! see the Information Week article below), the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.[11]
2nd Symantec:
Discovered: January 19, 2007
Updated: January 19, 2007 6:52:29 PM
Also Known As: Small.DAM [F-Secure], CME-711 [Common Malware Enumeration], Troj/Dorf-Fam [Sophos], Downloader-BAI!M711 [McAfee], TROJ_SMALL.EDW [Trend], W32/Tibs [Norman], Troj/Dorf-J [Sophos]
Type: Trojan
Infection Length: 29,347 bytes; 30,720 bytes; 32,387 bytes; 34,816 bytes (varies)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Trojan.Peacomm is a Trojan horse that
drops a driver program file to download another program(AGAIN !not anymore! see IW article below). It is reportedly attached to spammed email. It may also be dropped by W32.Mixor.Q@mm.
The Kinda Old News:
For 24 hours in mid-January, stock-fraud investigation site StockPatrol disappeared from the Internet, overwhelmed by a massive flood of Web requests coming from thousands of sources.
[...] Highlighting another trend, bot nets created with the program use peer-to-peer communication to make shutting down the illicit networks much more difficult. Typically, bot nets last no more than a day after their command-and-control server is identified. The peer-to-peer component of the Storm Worm enables its bot nets to reconstitute themselves after the central server is taken down. (SecurityFocus 2007-02-16)
The New..ish News:
Storm worm authors are blasting the Internet with two types of attacks ( mainly spam: e-Cards and Phoney Virus Alerts), and both are aimed at building up their botnet.
[...] The viruses are not embedded in the e-mails or in attachments. The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader. (TOLD YA. NOTE THE BIG CHANGE IN TACTICS. No malware in the e-mail, means no virus filtering problem.) This helps pull the computers into the malware authors’ growing botnet, while also leaving them open for further infection at a later date. (InformationWeek 2007-07-24)
The Latest: In all honesty, who knows? However…
An interesting happening this week, some ISP’s have been jacking the DNS entries for certain IRC networks to crack down on zombie/bot infections. (Darknet: TimeWarner DNS Hijacking IRC Servers to Stop DDoS Attacks)
Read that whole article from Darknet and you’ll get my drift. I see a connection between ISP’s trying to block “zombie/bot infections” and the last I heard on storm.worm varients.
Anyway, its obvious that whoever is running this game must be hell bent on something, but what?
I will keep everyone updated and post the source code for all the related malware to the “Storm Worm” as soon as I can find it. If you happen to find it before me, please post a link in the comments.
Peace
I Just came accross this site, http://www.freebieSMS.co.uk , and it seems to offer free SMS messages, for the UK at least, has anyone ever used them?
http://www.thecoolnews.org
Is the best site for all the tips and tricks u ever dreamt off.
[...] To Say I Told You So… 8 10 2007 Anyone remember this article I wrote back in July: STORM WORM: LARGEST ATTACK IN TWO YEARS, BUT WHY? Well, it looks like I was correct in being concerned that the Storm Worm and its resulting botnets [...]
[...] STORM WORM: LARGEST ATTACK IN TWO YEARS, BUT WHY? [...]
lol azag dya realise that there is a good chance that the authors learnt sum virus making off your site
tboy1337 – Sadly, Yes I’m sure at least a few authors gathered intel off my site and at the very least might have learned some new tricks if they did their homework or whatever. ;-P It seems pretty feasible in theory so I’m going to guess chances are good it did happen on at least a few occasions. Then again, some have also thanked me for finding info to help them learn a programming language for college/university classes, so many positive things also happen as well. Funnier fact is it went full circle now some of these storm worm infected machines are trying to probe my site although very unsuccessfully. I am not respondsible for the actions [whether bad or good] of my visitors.
I haven’t seen any authors mention it but I think that is for the best. I don’t want know troubles lol. I tell people never to spread such creations whether their own or the inventions of others. Don’t mess up the internet for others kids. Remember it’s made up of a delicate series of tubes. 
heheh
I have no way of telling what viruses or authors may have been spawned by visitors but I really don’t want to know.
I also wish people would use stop thinking I’m a backdoored server trying to run C99shell(s) off my site. They are there to download I’m not running PHP based server you silly bastards. Some people got to be a little slow if they think I would put up code, apps or exploits that I’m vulnerable too on my site. Come on people think a bit before you leap from f*cks sake. Take note of the section title if you read english (or can translate it) and most would assume it is fairly obvious I am not some hijacked server or one left with a backdoor hanging wide open as it were.
- Azag
http://www.productreview.com.au/?a_aid=2006f0ef
enforcible illumine hysteralgia pseudoliberal unequilibrated staggy tautomeric undern
Amish men plead guilty to dealing drugs
http://cnn.com/2003/WORLD/europe/11/05/germany.shootdown.ap/