Storm worm strikes again

A new variant of the Storm worm (aka Snow Worm) is slamming into e-mail inboxes worldwide as an apparent patch or fix for a recent worm attack. The latest variant, first reported Thursday, appears to ride on the coattails of a worm that Trend Micro calls Nuwar.AOP. The Trojan part of this worm is known as Small (by Kaspersky and Trend Micro), Downloader (by McAfee), Peacomm (by Symantec), and officially by the designation CME (Common Malware Enumeration) 711.

According to Ken Dunham of iDefense, this new variant worm includes anti-security measures to hinder analysis, and sends out copies of itself inside of a password protected zip file to evade antivirus detection. Unfortunately, to further evade detection, the e-mail messages are randomized with different file names, passwords and binaries within the zip file.

According to one source, the subject lines include:

• "Worm Alert!"

• "Worm Detected"

• "Virus Alert"

• "ATTN!"

• "Trojan Detected!"

• "Worm Activity Detected!"

• "Spyware Detected!"

• "Virus Activity Detected!"

According to SANS Internet Storm Center, the zip files appear to be named:

• "patch-(random 4 or 5 digit number).zip"

• "bugfix-(random 4 or 5 digit number).zip"

• "hotfix-(random 4 or 5 digit number).zip"

• "removal-(random 4 or 5 digit number).zip"

Once executed, the new variant worm installs a rootkit on the infected system and communicates over a private peer-to-peer network to update itself. This latest variation may be laying the groundwork for even more attacks in the near future, launching future releases from those machines already infected.

PCs running Microsoft Windows are vulnerable to the new variant worm. Avoid opening e-mail attachments without first scanning them for viruses.