|
:''For information on the botnet composed of machines infected with this worm, see Storm botnet.'' The Storm Worm (dubbed so by the Finnish company F-Secure) is a backdoor Trojan horse that affects computers using Microsoft operating systems,〔〔According to Symantec, which detected it as Trojan.Packed.8. LiveUpdate definitions also identified it as Trojan.Peacomm〕 discovered on January 17, 2007.〔 The worm is also known as: * Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure) * CME-711 (MITRE) * W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee) * Troj/Dorf and Mal/Dorf (Sophos) * Trojan.DL.Tibs.Gen!Pac13 * Trojan.Downloader-647 * Trojan.Peacomm (Symantec) * TROJ_SMALL.EDW (Trend Micro) * Win32/Nuwar (ESET) * Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare) * W32/Zhelatin (F-Secure and Kaspersky) * Trojan.Peed, Trojan.Tibs (BitDefender) The Storm Worm began infecting thousands of (mostly private) computers in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, "230 dead as storm batters Europe". During the weekend there were six subsequent waves of the attack. As of January 22, 2007, the Storm Worm accounted for 8% of all malware infections globally. There is evidence, according to PCWorld, that the Storm Worm was of Russian origin, possibly traceable to the Russian Business Network.〔("The Internet's Public Enemy Number One" -- PCWorld )〕 ==Ways of action== Originally propagated in messages about European windstorm Kyrill, the Storm Worm has been seen also in emails with the following subjects: * A killer at 11, he's free at 21 and kill again! * U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel * British Muslims Genocide * Naked teens attack home director. * 230 dead as storm batters Europe. * Re: Your text * Radical Muslim drinking enemies's blood. * Chinese/Russian missile shot down Russian/Chinese satellite/aircraft * Saddam Hussein safe and sound! * Saddam Hussein alive! * Venezuelan leader: "Let's the War beginning". * Fidel Castro dead. * If I Knew * FBI vs. Facebook When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.〔 The Trojan piggybacks on the spam with names such as "postcard.exe" and "Flash Postcard.exe," with more changes from the original wave as the attack mutates.〔 Some of the known names for the attachments include:〔 * Postcard.exe * ecard.exe * FullVideo.exe * Full Story.exe * Video.exe * Read More.exe * FullClip.exe * GreetingPostcard.exe * MoreHere.exe * FlashPostcard.exe * GreetingCard.exe * ClickHere.exe * ReadMore.exe * FlashPostcard.exe * FullNews.exe * NflStatTracker.exe * ArcadeWorld.exe * ArcadeWorldGame.exe Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love". These emails contain links to websites hosting some of the following files, which are confirmed to contain the virus: * with_love.exe * withlove.exe * love.exe * frommetoyou.exe * iheartyou.exe * fck2008.exe * fck2009.exe According to Joe Stewart, director of malware research for SecureWorks, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Storm Worm」の詳細全文を読む スポンサード リンク
|