Storm of the Day (Welcome Member)
Update2: We got a request to explain what will happen if a user clicks on the link. The user will see a web page with one line:
"If you do not see the Secure Login Window please install our Secure Login Applet."
This web page appears to attempt to exploit an older media player (WinAmp) exploit as well as attempting to trick the user into downloading the virus.
As an update to the virustotal result below: Anti malware vendors are rolling out speical updates for this latest version of Storm. I would expect that all the major vendors have one by now, that may actually be useful until the next version is released in a couple days.
Bleedingthreats has a special set of signatures to detect Storm
http://www.bleedingthreats.net/index.php/2007/08/19/storm-worm-dns-and-c-updated-daily/
Update: A reader noted that the binary changes every 30 minutes. Like prior storm versions, we expect that it will justrepack itself.
And a quick warning: Portscanning and excessive downloads from infected machines has lead to rather nasty DDoS attacks in the past. So you may want to watch for that as you investigate.
Headers from the storm web server:
HTTP/1.1 200 OK
Server: nginx/0.5.17
Date: Tue, 21 Aug 2007 04:31:54 GMT
Content-Type: application/octet-stream
Content-Length: 114590
Connection: close
Accept-Ranges: bytes
They all appear to use the 'nginx' web server. But this is a legit (small / high performance) web server, so a signature based on it may be too generic. If you want to try:
alert tcp any 80 -> $HOME_NET any ( msg: "Storm Worm"; sid: 10001234; content: "|0D 0A|Server|3A| nginx/0.5.17|0D 0A|"; offset: 15; depth: 60;)
-------------------------------
Looks like Storm moved to a new mutation. The e-mails are now inviting users to become members in various "clubs". Here is a sample I just got:
Subject: Login Information
Dear Member,
Are you ready to have fun at CoolPics.
Account Number: 73422529174753
Your Temp. Login ID: user3559
Temorary Password: jz438
Please Change your login and change your Login Information.
This link will allow you to securely change your login info: http://a.b.c.d/
Thank You,
New Member Technical Support
CoolPics
I have seen about a dozen different once so far. They are all "confirmations" in this style to various web sites. The web page offers again an "applet.exe" for download.
In short: We don't need to enumerate variants of the e-mail message. If you are brave and know what you are doing, download the applet.exe and try to reverse it (not easy typically). Thunderbird warned me that the link is a scam. (I think it does so for all numeric IP links).
My copy of applet.exe was about 114 kB large. While many AV scanners detect it as "evil" based on heuristic signatures, some well known scanners don't (maybe Virustotal is running them without heuristic turned on, or they just don't do it)
IMHO: this is a lost cause. People are either infected or they know how to protect themselves.
(From virustotal.com)
File applet.exe received on 08.21.2007 05:21:50 (CET)
Current status: finished
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| AhnLab-V3 | 2007.8.21.0 | 2007.08.21 | - |
| AntiVir | 7.4.1.62 | 2007.08.20 | WORM/Zhelatin.Gen |
| Authentium | 4.93.8 | 2007.08.20 | Possibly a new variant of W32/Fathom.2-based!Maximus |
| Avast | 4.7.1029.0 | 2007.08.20 | - |
| AVG | 7.5.0.484 | 2007.08.20 | Downloader.Tibs.7.D |
| BitDefender | 7.2 | 2007.08.21 | Trojan.Peed.IFS |
| CAT-QuickHeal | 9.00 | 2007.08.20 | (Suspicious) - DNAScan |
| ClamAV | 0.91 | 2007.08.21 | Trojan.Small-3614 |
| DrWeb | 4.33 | 2007.08.20 | Trojan.Packed.142 |
| eSafe | 7.0.15.0 | 2007.08.20 | Suspicious Trojan/Worm |
| eTrust-Vet | 31.1.5076 | 2007.08.21 | Win32/Sintun.AC |
| Ewido | 4.0 | 2007.08.20 | - |
| FileAdvisor | 1 | 2007.08.21 | - |
| Fortinet | 2.91.0.0 | 2007.08.21 | - |
| F-Prot | 4.3.2.48 | 2007.08.20 | W32/Fathom.2-based!Maximus |
| F-Secure | 6.70.13030.0 | 2007.08.21 | - |
| Ikarus | T3.1.1.12 | 2007.08.20 | - |
| Kaspersky | 4.0.2.24 | 2007.08.21 | - |
| McAfee | 5101 | 2007.08.20 | - |
| Microsoft | 1.2803 | 2007.08.21 | Worm:Win32/Nuwar.gen |
| NOD32v2 | 2472 | 2007.08.21 | - |
| Norman | 5.80.02 | 2007.08.20 | - |
| Panda | 9.0.0.4 | 2007.08.19 | - |
| Prevx1 | V2 | 2007.08.21 | - |
| Rising | 19.36.60.00 | 2007.08.19 | - |
| Sophos | 4.20.0 | 2007.08.12 | - |
| Sunbelt | 2.2.907.0 | 2007.08.21 | VIPRE.Suspicious |
| Symantec | 10 | 2007.08.21 | Trojan.Packed.13 |
| TheHacker | 6.1.8.171 | 2007.08.20 | - |
| VBA32 | 3.12.2.2 | 2007.08.21 | - |
| VirusBuster | 4.3.26:9 | 2007.08.20 | - |
| Webwasher-Gateway | 6.0.1 | 2007.08.21 | Worm.Zhelatin.Gen |
| Additional information |
|---|
| File size: 114623 bytes |
| MD5: 7d2dacd867a50e467d6a2a8eedd28e51 |
| SHA1: 73a4a9317c5c12318ae32f7d6819f93c13d72ad0 |
| Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics. |
(I replaced the numeric IP address with 'a.b.c.d')
| Application Security: Securing Web Apps, APIs, and Microservices | Washington | Jul 14th - Jul 19th 2025 |
Comments