[AusNOG] Storm worm seeding peers AS4802, AS9543 and AS9942 (AUSCERT#20075bfb0)

Matthew McGlashan matthew at auscert.org.au
Wed Apr 11 10:40:25 EST 2007

Hash: SHA1

Greetings AusNOG,

* As before - please let me know if this sort of information is useful /
appropriate for the list *

We've had a report of a new version of the "storm worm" being seeded and
spammed with subjects like:

  USA Declares War on Iran
  USA Missle Strike: Iran War just have started
  Missle Strike: The USA kills more then 20000 Iranian citizens
  Missle Strike: The USA kills more then 1000 Iranian citizens
  Missle Strike: The USA kills more then 10000 Iranian citizens
  Israel Just Have Started World War III
  USA Just Have Started World War III
  Iran Just Have Started World War III

The worms is given an initial peers list (peers being used to provide
updates or instructions).  I've included some hosts of interest that the
worm will look for below:

4802    |  | ASN-IINET iiNet Limited | 6DD7D1FB5D0967E6AC5C168E7F3946C4=
4802    |   | ASN-IINET iiNet Limited | 1AE389C8EC8E6BB98F787298563D170B=
9543    |   | WESTNET-AS-AP Westnet Internet Services | 7EE8F4E503465493CDAF0BE0D602074C=
9942    |  | COMINDICO-AP SOUL Converged  Communications Australia | A881FB2ABBDE65AE27EA89A942BBF7FC=

This is not to say these hosts are infected or necessarily compromised -
simply that the current version of Storm will be trying to contact these
addresses on the ports above (the end part of each line is an md5 and IP
and port).  Might be worth checking flows for this activity.

Generic info on Storm:

  Storm-Worm (also known as Small.DAM, Stormy and Peacomm) is a windows
  trojan that is typically distributed via spam email. If run, the program
  downloads additional malware and then connects to a public peer-to-peer
  network to look for updates and command and control instructions. Hosts
  infected with Storm-Worm are commonly used to send spam emails.

  For more information on Storm-Worm please see the following links:

    * http://www.f-secure.com/v-descs/small_dam.shtml
    * http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99
    * http://www.viruslist.com/en/viruses/encyclopedia?virusid=124218 

Thanks for your time,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967


More information about the AusNOG mailing list