Storm Worm 
| Storm Worm |
|
We have become aware of a second variant of the Small Trojan that is known as Storm Worm. Similar to the first variant, this one is also a mass-mailer that uses social engineering and network shares to propagate. The Storm Worm variant creates a peer-to-peer network that operates on port 7871/UDP, while the previously reported variant, known as Small.DAM or Trojan.Peacomm, operates on port 4000/UDP. The Small Trojan variants arrive as an email attachment and also propagate through network file shares. These Trojan variants drop two files upon execution, one of which may contain rootkit functionality. These Trojan variants also create a back door that may be used to harvest sensitive data or launch a spam attack. Subject lines can change at any time, but the following are currently being used by these Trojans:
File names can also change at any time, but the following are currently being used:
However, these subjects and filenames can change at any time, so do not open any attachments unless you are sure they are not executable programs, even if they are from people you know. Email worms such as Storm Worm travel by emailing themselves to people in computer address book without the infected person's knowledge, and thus it's almost certain that you know whoever emailed you the worm. If you run a firewall and are comfortable with doing so, you can block UDP ports 7871 and 4000. Most personal firewall will automatically block all unused ports such as these, only opening ports when they are needed. Internet Security (see right sidebar) is your best bet for protection, although SystemWorks and SystemWorks Premier will protect you also, and even Antivirus will help if you have some other software firewall. |
