Alert : Storm Worm Returns using the April Fool messages

**Strider** · 02-04-2008, 11:18 AM

Storm is back, reports security firm Arbor Networks, and dressed to kill in its April Fools’ outfit.

Arbor Networks blogger Jose Nazario notes that Storm's latest variant began appearing sometime during March 31, greeting users with a simple “Doh! April’s Fool. (sic)” message that hyperlinks to an IP address.

Users clicking the link are taken to a web page with a cute picture and an automatic download, prompting them to run the download as soon as it completes. If the user follows these directions, he or she will find his or her computer added to the decentralized Storm botnet, which security analysts think contains anywhere from 20,000 to 10 million computers.

April Fools’ Day is only the latest such occasion to be exploited by Storm, which in the past has sent out e-mail messages with headlines like, “Saddam Hussein alive!” and “Fidel Castro dead.”

Nazario warns users to look out for the following signs of infection:

C:\WINDOWS\aromis.config, which contains the botnet’s decentralized peerlist – a list containing a very small subset of its overall network.
C:\WINDOWS\aromis.exe, the program that this variant of the Storm installs itself as.
“Services.exe” or “Aromis.exe” listening on a random UDP port, as well as a large volume of outbound connections – the worm will attempt to create a firewall rule for itself and use windows services to update its internal clock.

Via DailyTech

The Chosen One · 02-04-2008, 04:43 PM

IMPOSSIBLE................ i thought they will nvr do it... i spoke with one of them 1 month before...
they are working on an HTML exploit backdoor trojan...

02-04-2008, 11:18 AM	#1
Strider Founder Join Date: Nov 2005 Location: The Last City Zion! Posts: 2,684 Thanks: 228 Thanked 230 Times in 191 Posts Rep Power: 53	Alert : Storm Worm Returns using the April Fool messages Storm is back, reports security firm Arbor Networks, and dressed to kill in its April Fools’ outfit. Arbor Networks blogger Jose Nazario notes that Storm's latest variant began appearing sometime during March 31, greeting users with a simple “Doh! April’s Fool. (sic)” message that hyperlinks to an IP address. Users clicking the link are taken to a web page with a cute picture and an automatic download, prompting them to run the download as soon as it completes. If the user follows these directions, he or she will find his or her computer added to the decentralized Storm botnet, which security analysts think contains anywhere from 20,000 to 10 million computers. April Fools’ Day is only the latest such occasion to be exploited by Storm, which in the past has sent out e-mail messages with headlines like, “Saddam Hussein alive!” and “Fidel Castro dead.” Nazario warns users to look out for the following signs of infection: C:\WINDOWS\aromis.config, which contains the botnet’s decentralized peerlist – a list containing a very small subset of its overall network. C:\WINDOWS\aromis.exe, the program that this variant of the Storm installs itself as. “Services.exe” or “Aromis.exe” listening on a random UDP port, as well as a large volume of outbound connections – the worm will attempt to create a firewall rule for itself and use windows services to update its internal clock. Via DailyTech __________________ Want to ask a question? Try This! A guide on how to post a question, reply to a post etc.

02-04-2008, 04:43 PM	#2
The Chosen One Senior Member (500+) Join Date: Jan 2007 Location: Tunisia Age: 18 Posts: 831 Thanks: 39 Thanked 46 Times in 43 Posts Rep Power: 20	Re: Alert:Storm Worm Returns using the April Fool messages IMPOSSIBLE................ i thought they will nvr do it... i spoke with one of them 1 month before... they are working on an HTML exploit backdoor trojan... __________________ DISCLAIMER Everything I post is an order from a little guy in my head.I DONT take the responsability of what he does or says.The name of the little guy is Perfect Hacker MY blog

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode