by Jose Nazario
More Detailed Analysis @ ARBOR Networks
The Storm Worm is back, this time itís got a Christmas theme. Who knew that it would take them so long to do this? Hereís a sample mail:That domain, merrychristmasdude.com, has a bunch of nameservers and a lot of IPs associated with it - Fast Flux!
Date: Sun, 23 Dec 2007 21:19:19 -0500
Subject: Find Some Christmas Tail
got a sec?
Winter can be cold. I bet you could use a little something to warm you
up. Take 2 min out of your day. You wont regret it. ;-)
An infected host will drop the file:
And store the peerlist in:
A pair of randomly chosen ports - one TCP and one UDP - will be opened.
It will lower the firewall and add a registry entry to make sure that firewall permission is permanent.
After that, the usual Storm worm mayhem begins.
AV detection for this sample is pretty modest at this point
Additional analysis over @ Digital Intelligence and Strategic Operations Group