Threat behavior
Storm Worm, or Win32/Nuwar, refers to a family of Trojan droppers that install a distributed peer-to-peer (P2P) downloader Trojan. This downloader Trojan in turn downloads a copy of the email worm component of Storm Worm. The email worm component does the following:
- Drops a file with a random name into the directory in which it is executed.
- This file creates a driver in the Windows system folder (by default, on Windows XP and Vista, this folder is C:\Windows\System32. The dropped file is usually named wincom32.sys.
- This driver contains the main payload functionality of the worm, and is used to inject an embedded dll into running processes which enlists the computer in a private peer-to-peer (p2p) network.
- The injected dll drops an initialization file, typically named wincom32.ini, in the Windows system folder which contains its network peer information. This file is detected as Worm:Win32/Nuwar!ini.
- The driver is added as a service to run whenever Windows starts. The service is typically named 'wincom32'
- On Windows XP or earlier, the driver will stealth references to this driver so that the driver and its service cannot be seen.
Email Characteristics
To obtain addresses in order to spread, Storm Worm enumerates the first 30000 files under 122k on all fixed and remote drives. The worm does not use domains containing 'microsoft' or domains ending in .gov or .mil. The worm performs DNS queries on the email address domains to check their legitimacy. The worm will spoof the sender address to be a randomly chosen name from a list from the yahoo.com domain. The message body will be blank. The subject line of the email generally uses fictitious and incendiary topics, for example:
230 dead as storm batters Europe
USA Missle Strike: Iran War just have started
Naked teens attack home director
The email includes an executable (.EXE) attachment which may use on of the following file names:
- More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe
Storm Worm attempts to stop processes with process or window names containing substrings typically related to various security-related software products.
Related Malware
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with attachments and file transfers.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with attachments and file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
