[AusNOG] Storm worm seeding peers AS4802, AS9543 and AS9942 (AUSCERT#20075bfb0)

Matthew McGlashan matthew at auscert.org.au
Wed Apr 11 10:40:25 EST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings AusNOG,

* As before - please let me know if this sort of information is useful /
appropriate for the list *

We've had a report of a new version of the "storm worm" being seeded and
spammed with subjects like:

  USA Declares War on Iran
  USA Missle Strike: Iran War just have started
  Missle Strike: The USA kills more then 20000 Iranian citizens
  Missle Strike: The USA kills more then 1000 Iranian citizens
  Missle Strike: The USA kills more then 10000 Iranian citizens
  Israel Just Have Started World War III
  USA Just Have Started World War III
  Iran Just Have Started World War III

The worms is given an initial peers list (peers being used to provide
updates or instructions).  I've included some hosts of interest that the
worm will look for below:

4802    | 203.214.131.141  | ASN-IINET iiNet Limited | 6DD7D1FB5D0967E6AC5C168E7F3946C4=203.214.131.141:4480
4802    | 203.59.209.219   | ASN-IINET iiNet Limited | 1AE389C8EC8E6BB98F787298563D170B=203.59.209.219:62624
9543    | 124.150.75.126   | WESTNET-AS-AP Westnet Internet Services | 7EE8F4E503465493CDAF0BE0D602074C=124.150.75.126:10790
9942    | 220.240.123.155  | COMINDICO-AP SOUL Converged  Communications Australia | A881FB2ABBDE65AE27EA89A942BBF7FC=220.240.123.155:6324

This is not to say these hosts are infected or necessarily compromised -
simply that the current version of Storm will be trying to contact these
addresses on the ports above (the end part of each line is an md5 and IP
and port).  Might be worth checking flows for this activity.

Generic info on Storm:

  Storm-Worm (also known as Small.DAM, Stormy and Peacomm) is a windows
  trojan that is typically distributed via spam email. If run, the program
  downloads additional malware and then connects to a public peer-to-peer
  network to look for updates and command and control instructions. Hosts
  infected with Storm-Worm are commonly used to send spam emails.

  For more information on Storm-Worm please see the following links:

    * http://www.f-secure.com/v-descs/small_dam.shtml
    * http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99
    * http://www.viruslist.com/en/viruses/encyclopedia?virusid=124218 

Thanks for your time,

- -- Matthew McGlashan --
Coordination Centre Team Leader             | Hotline: +61 7 3365 4417
Australian Computer Emergency Response Team | Direct:  +61 7 3365 7924
(AusCERT)                                   | Fax:     +61 7 3365 7031
The University of Queensland                | WWW:     www.auscert.org.au
Qld 4072 Australia                          | Email: auscert at auscert.org.au

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
Comment: http://www.auscert.org.au/render.html?it=1967
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRhwueSh9+71yA2DNAQIfJwP7Bb0Nn4aSU5i8DmLkUbzj3khyJAJ6zXKv
MCKt2RB5DEZ/kpub3Z/rNN1643SJYSxzH2glxtfUeNKH6mZbdYbj/N6VaAT2V1sU
lPlisSKgmF3FuVdI4x8v5QXyTazRrmK2PqFH79ZgaJTD6Gzz6TIGqARdPcCEnXn4
pWUO8D694Pc=
=tKKm
-----END PGP SIGNATURE-----

More information about the AusNOG mailing list