What is meant by storm worm?

Storm worm? You may not recognize this worm at the first instance since you might be knowing it by one of the following other names:

1. Small. Dam
2. Trojan- downloader. Win 32. Small. Dam
3. F secure as dubbed by the finnish company.
4. W32/ Numwar@MM
5. Downloader BAI (McAfee’s specific variant)
6. Trojan. DL. Tibs. Gen! Pact13
7. Trojan. Peacomm (Symantec)
8. Win32/ Nuwar (ESET)
9. W32/ Zhelatin (kaspersky, F secure)
10. Trojan. Peed (Bit Defender)
11. Trojan. Tibs (Bit Defender)
12. Win32/ Nuwar. N@MM! CME- 711 (windows live one care)
13. TROJ_SMALL. EDW (trend micro)
14. Trojan. Downloader – 647
15. Loland Mal/ Dorf (sophos)
16. CME- 711 (mitre)

Evolution of Storm Worm

- It was recognized as a back door Trojan horse that had most of its impact on the computer systems that use the Microsoft operating systems or applications or extensions.

- This worm was first observed on the date of 17th January in the year of 2007.

- The storm worm first took its affect in the countries of the United States and Europe infecting millions of computer systems starting on the date of 19th January 2007.

- It was usually sent to the users as an e-mail message having the subject as a headline about the recent weather disaster like “230 dead as storm batters Europe”.

- At the starting of this cyber epidemic, there were around 6 waves of attack subsequently.

- At the end of the January 2007, the storm worm was said to account for 8 percent of all the world wide malware infections.

- According to the PC world, the history or origin of the storm worm can be traced back to a Russian business network.

- Mostly the European wind storm “kyrill” was used as the subject of the infected e- mails.

- This email usually had an attachment accompanying it which when opened, automatically installed this malware on to the system of the users.

Steps involved in installing the Malware

The malware was installed via the following steps:

1. Installation of the wincom32 service
2. Injection of payload
3. Passing of the packets to destinations as mentioned in the malware code.
4. Download and run the W32. Mixor. Q@mm worm and Trojan. Abwiz. F Trojan.

These downloaded Trojans then attached themselves to spam like flashcard.exe, postcard.exe and so on. Other changes regarding the original attack wave were made as the mutation of the attack carried on. Below mentioned are some other prominent spam attachments:
1. Ecard.exe
2. Fullstory.exe
3. Read more. Exe
4. Greeting postcard.exe
5. Read more.exe
6. Full news.exe
7. Arcade world.exe
8. Fullvideo.exe
9. Video.exe
10. Full clip.exe
11. More here.exe
12. Click here.exe
13. Nfl stat tracker.exe
14. Arcade world game.exe

Later the storm worm came to be spread by subjects regarding love such as “touched by love”, “love birds” and so on. These e- mails had the links referring to the malicious web sites containing virus like:

1. With love.exe
2. With_love.exe
3. From me to you.exe
4. Fck2008.exe
5. Fck2009.exe
6. Love.exe
7. Iheart you.exe

The storm worm has an exceptional ability to stay resilient. The affected machine or system used to become a part of botnet networks which was controlled through a central server. A botnet is seeded by the storm worm that acts as a P2P network without any control. The connected systems then act as a host and share the list of other hosts. One peculiarity was observed in the working of these machines which is that none of them shared the whole list of botnets.