Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Latest Storm Variant Dude!


  • Please log in to reply
No replies to this topic

#1 TeMerc

TeMerc

    Countermeasures Team Leader


  • Malware Response Team
  • 215 posts
  • OFFLINE
  •  
  • Location:PHX., AZ.
  • Local time:03:52 PM

Posted 23 December 2007 - 10:38 PM

Posted on Sunday, December 23rd, 2007
by Jose Nazario

The Storm Worm is back, this time itís got a Christmas theme. Who knew that it would take them so long to do this? Hereís a sample mail:

Date: Sun, 23 Dec 2007 21:19:19 -0500
From: geneoldham[at]usmint.treas.gov
To: ---
Subject: Find Some Christmas Tail

got a sec?

Winter can be cold. I bet you could use a little something to warm you
up. Take 2 min out of your day. You wont regret it. ;-)
hxxp://merrychristmasdude.com/

That domain, merrychristmasdude.com, has a bunch of nameservers and a lot of IPs associated with it - Fast Flux!

An infected host will drop the file:
C:\WINDOWS\disnisa.exe
And store the peerlist in:
C:\WINDOWS\disnisa.config

A pair of randomly chosen ports - one TCP and one UDP - will be opened.

It will lower the firewall and add a registry entry to make sure that firewall permission is permanent.

After that, the usual Storm worm mayhem begins.

AV detection for this sample is pretty modest at this point

More Detailed Analysis @ ARBOR Networks

Additional analysis over @ Digital Intelligence and Strategic Operations Group
Posted Image
Calendar of Updates
Malware Advisor Blog
HijackThis! Trusted Advisor
Ultimate Countermeasures Page
TeMerc Internet Countermeasures
Remember, you can NEVER be OVERPROTECTED!!!
Proud Member of the Alliance of Security Analysis Professionals
Posted Image

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users