• On BNET: Apple's insanely great marketing
March 31, 2008 1:56 PM PDT

No April Fools'--Storm worm is back

by Robert Vamosi
  • Font size
  • Print
  • 9 comments
(Credit: Jose Nazario, Arbor Networks)

Don't click on that silly April Fools' Day e-mail, says one security expert.

In a blog, Arbor Networks' Jose Nazario reports that within the last 24 hours he's seeing new releases of the Storm worm designed to take advantage of the first day of April. This new spam campaign is a lure to infect new computers that will become part of the larger Storm worm botnet.

The e-mail body is spartan: the words "Doh! April Fools" followed by a numeric URL. If a user clicks on that URL, the default Internet browser will open to a page with a cartoon character. A download is supposed to start within five seconds and, according to the message, "If your download does not start, click here and then press 'Run.'"

The compromised computer will then install the downloaded file as C:\WINDOWS\aromis.exe. Nazario reports that the botnet file opens the firewall using the netsh firewall set command, makes a lot of outbound connections, then listens on a random UDP port.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Criminal Hackers,

Security

Tags:

security,

Storm worm,

Dr. Jose Nazario,

Arbor Networks,

botnets,

April Fool's Day

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Related
Phishing, worms spike this year, say Microsoft and McAfee
Jailbroken iPhone? SSH installed? Beware of worms!
Bank Trojan botnet targets Facebook users
Rick Astley resurrected in iPhone worm
A child porn-planting virus: Threat or bad defense?
Microsoft patches critical hole in Windows kernel
Critical Windows 7 holes fixed in record Patch Tuesday
A tale of two iPhone puzzle games
Add a Comment (Log in or register) (9 Comments)
  • prev
  • 1
  • next
Is this because
by Lee in San Diego March 31, 2008 3:26 PM PDT
Is this as a result of the MacBook Air getting pawned within two
minutes last week?
Reply to this comment
I hope you're being facetious...
by jumpjetta March 31, 2008 5:12 PM PDT
...Because the exploit is clearly a WIndows-based one... note the
.EXE?
View reply
Don't worry
by 3rdalbum April 1, 2008 5:12 AM PDT
Don't worry, I'm sure Storm will be ported to Mac OS X soon, when it gets more marketshare than Linux.
No it's because...
by webdev511 April 1, 2008 8:07 AM PDT
people haven't learned NOT to click on these things, nor have they run an update on their firewall, browsers or anti-malware for um..ever.
pretty funny -- real reasons
by TF_kj April 1, 2008 9:15 AM PDT
Now that's pretty funny, Lee. But webdev511 is pretty close to the real reasons why this Storm gang's effort continues: users are fun-seekers and curious and don't always understand what they are getting into when visiting sites and running unknown content on their system.
The Storm malware creators also have gone to great lengths to include effective social engineering techniques in their campaigns to get their code running on users' systems. They spent a large amount of effort on developing and implementing effective av evasion techniques in their packers and changing code base. And traditional signature based solutions have not necessarily kept up with the extreme pace of change of this malware. There are some security solutions specifically targeted by this new storm variant that get clobbered by it.
Once a part of the botnet, the user's compromised system translates into cash for the attackers.

http://blog.threatfire.com
View reply
ClickaNerd | Rootkit Virus Removal Tip
by thetopnerd April 1, 2008 8:27 PM PDT
If you are infected by this worm and you have some experience in virus removal, we have documented a page to assist you with the quick removal of this worm. Go to This URL: http://www.clickanerd.com/techtips/tips/001-virus-removal.htm

If you have a Google account, please provide some feedback at our blog after you use this page.
Reply to this comment
(9 Comments)
  • prev
  • 1
  • next
advertisement

As alternative energy grows, NIMBY greens

With more renewable energy projects trying to come online, the country grapples with the balance between local land use and a national push for clean energy.

Google to remake programming with Go

A Unix co-creator is among those behind a language Google hopes will speed computers and programming. Today, Go becomes open-source software.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET