Storm worm keeps spreading

    Date23 Jan 2007
    CategoryHacks/Cracks
    4330
    Posted ByBrittany Day
    A Trojan horse that started spreading Friday in emails exploiting concern about European storms continued its advance over the weekend by adopting a wider variety of fake news headlines, according to Finnish antivirus firm F-Secure Corp.

    "The weekend has been very busy with Storm," F-Secure said in its blog. "We have lately discovered new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys, and active network connections."

    The Trojan is now using the following headlines in an attempt to trick email recipients into clicking the malicious attachment:

  • * Russian missle shot down Chinese satellite
  • * Russian missle shot down USA aircraft
  • * Russian missle shot down USA satellite
  • * Chinese missile shot down USA aircraft
  • * Chinese missile shot down USA satellite
  • * Sadam Hussein alive!
  • * Sadam Hussein safe and sound!
  • * Radical Muslim drinking enemies' blood
  • * U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  • * U.S. Southwest braces for another winter blast. More then 1000 people are dead./
  • * Venezuelan leader: "Let's the War beginning"
  • * Fidel Castro dead.
  • * Hugo Chavez dead
  • Footage of F-Secure's computerized world map is available on YouTube. It shows glowing dots dramatically spreading across the map as the malware proliferates across the glob.

    The attackers initially spammed out hundreds of thousands of emails with a subject line that read, "230 dead as storm batters Europe." The emails contain a malicious attachment that will infect the computer if the user opens it.

    Mikko Hypponen, head of research at F-Secure, was amazed by how effectively the bad guys capitalized on breaking news about the storm.

    "What makes this exceptional is the timely nature of the attack," he told the Reuters news agency. He said thousands of computers were affected around the world, mostly private machines. He told Reuters that most users won't notice the malware, which is designed to creates a back door on the computer that can be used later to steal sensitive data or launch spam runs.

    The malware attack also kept researchers busy at UK-based antivirus firm Sophos, which reported seeing malicious files attached to emails with names such as Full Clip.exe, Full Story.exe, Full Video.exe, Read More.exe, and Video.exe.

    "On average, one in every 200 emails that people have received since midnight [Friday] are likely to be infected by this Trojan horse," Graham Cluley, senior technology consultant for Sophos, said on the company's Web site. "Receiving or reading the emails themselves does not mean that you will be infected. However, users must be very careful not to click on the attached file inside the emails as that will install a Trojan horse on their computer."

    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"13","type":"x","order":"1","pct":52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":16,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":32,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.