Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - New Storm Worm Going around InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Storm Worm Going around

Published: 2007-04-12
Last Updated: 2007-04-12 20:54:39 UTC
by Joel Esler (Version: 10)
0 comment(s)
We've received a bunch of emails in the past few minutes indicating the possible presence of a new Worm.

We are being told that it is a "Nuwar/Zhelatin" virus with Virtual Machine detection capabilities.  Basically looks like a rehash of the same ol' Storm worm.

Apparently it indicates itself as a "Patch" for the "New worm" that is going around (whatever that may be, there are just so many I could choose from!)

The Subject of the email (that we have seen so far) say:
"Worm Alert!"
"Worm Detected"
"Virus Alert"
"Trojan Detected!"
"Worm Activity Detected!"
"Spyware Detected!"
"Dream of You"
"Virus Activity Detected!"

It has two attachments, one being an image with 'panic-worded text', and the other is a password protected zip file, whose password is revealed in the image.

The zip file appears to be named:
"patch-<random 4 or 5 digit number>.zip"
"bugfix-<random 4 or 5 digit number>.zip"
"hotfix-<random 4 or 5 digit number>.zip"
"removal-<random 4 or 5 digit number>.zip"

(Thanks Jesper for the updates!)

Thanks everyone for writing in!

Joel Esler
Handler of the Day
0 comment(s)
Diary Archives