The Storm Worm

[taslayer]

I personally would like this bot found and decompiled.
i will be posting all the information articles and everything i can to help get a understanding of this.

Quote:

Not to be confused with W32/Storm.worm.

The Storm Worm (named by F-Secure) is a backdoor Trojan horse that affects computers using Microsoft operating systems, identified as Small.dam,discovered on January 17, 2007.The worm is also known as:

* Trojan.Downloader-647
* Trojan-Downloader.Win32.Small.dam
* Trojan.DL.Tibs.Gen!Pac13[3]
* Downloader-BAI (McAfee)
* Troj/Dorf-Fam (Sophos)
* Trojan.Peacomm (Symantec)
* TROJ_SMALL.EDW (Trend Micro)
* CME-711 (MITRE)
* Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)

The Storm Worm began infecting thousands of computers (mostly private) in Europe and the United States on Friday, January 19, 2007 using a topical e-mail message with the subject "230 dead as storm batters Europe".[6][7] During the weekend there were six subsequent waves of the attack.[8] As of Monday, January 22, the Storm Worm accounted for 8% of all infections globally.[9]
Contents


* 1 Ways of action
o 1.1 Botnetting
o 1.2 Rootkit
* 2 Feedback
* 3 See also
* 4 Notes
* 5 External links

Ways of action

During our tests we saw an infected machine sending a burst of almost 1,800 emails in a five-minute period and then it just stopped. Amado Hidalgo, a researcher with Symantec's security response group. [10]

Originally propagated on the heels of a European windstorm Kyrill, the Storm Worm has been seen in the wild also with the following subjects[11]:

* A killer at 11, he's free at 21 and kill again!
* U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
* British Muslims Genocide
* Naked teens attack home director.
* 230 dead as storm batters Europe.
* Re: Your text
* Radical Muslim drinking enemies's blood.
* Chinese missile shot down Russian satellite
* Chinese missile shot down Russian aircraft
* Chinese missile shot down USA aircraft
* Chinese missile shot down USA satellite
* Russian missile shot down USA aircraft
* Russian missile shot down USA satellite
* Russian missile shot down Chinese aircraft
* Russian missile shot down Chinese satellite
* Saddam Hussein safe and sound!
* Saddam Hussein alive!
* Venezuelan leader: "Let's the War beginning".
* Fidel Castro dead.
* If I Knew

When an attachment is opened, the malware installs the wincom32 service, and injects a payload, passing on packets to destinations encoded within the malware itself. According to Symantec, it may also download and run the Trojan.Abwiz.F trojan, and the W32.Mixor.Q@mm worm.[11] The Trojan piggybacks on the spam with names ranging from "postcard.exe" to "Flash Postcard.exe," more changes from the original wave as the attack mutates.[10] Some of the known names for the attachments include:[11]:

* Postcard.exe
* FullVideo.exe
* Full Story.exe
* Video.exe
* Read More.exe
* FullClip.exe
* GreetingPostcard.exe
* MoreHere.exe
* FlashPostcard.exe
* GreetingCard.exe
* ClickHere.exe
* ReadMore.exe
* FlashPostcard.exe
* FullNews.exe

Later, as F-Secure confirmed, the malware began spreading the subjects such as "Love birds" and "Touched by Love".

Botnetting

The compromised machine becomes merged into a botnet. While most botnets are controlled through a central server, which if found can be taken down to destroy the botnet, the Storm Worm seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralised control.[8] Each compromised machine connects to a list of a subset of the entire botnet — around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet — each only has a subset, making it difficult to gauge the true extent of the zombie network.[8] On August 26, 2007, estimates of the size of the Storm botnet ranged from 250 thousand up to 10 million computers. [12]

Rootkit

Another action the Storm Worm takes is to install the rootkit Win32.agent.dh.[13][8] Symantec pointed out that flawed rootkit code voids some of the Storm Worm author's plans.

Feedback

The rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again. Amado Hidalgo.[10]

The list of antivirus companies that had detected the Storm Worm included Authentium, BitDefender, ClamAV, eSafe, FProt, F-Secure, Kaspersky, Norman, Sophos and Virusbuster.[14] An intrusion detection system offers some protection from the rootkit, as it may warn that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871.[10] Another feedback is to configure e-mail gateways to strip out all executable attachments. Windows 2000, Windows XP and presumably Windows Vista can be infected by all the Storm Worm variants, but Windows Server 2003 cannot, as the malware's author specifically excluded that edition of Windows from the code.[10]

See also

Blocking executable attachments in e-mail has no mitigating effect on Storm worm variants as it does not propagate via executable attachments but rather via links to infected websites. The websites will attempt a variety of exploits to autoexecute the malicious code, but will also try to seduce the user into doing so manually. Spam filtering and URL filtering can be helpful in blocking this. According to F-secure and others, the malicious code is modified every 30 minutes, undermining standard signature based AV's ability to block this threat.

movie of infection
http://www.youtube.com/watch?v=kH8cS1AkqiI

articles
Storm Hits Blogger Network

Quote:

Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network, according to an article in Dark Reading. And this isn't simple comment spam, but actual blogs that post spam, and now, Storm executable files. A researcher who's been tracking the Storm-infested blog sites says he's working with Google to clean up this latest appearance of Storm."

Careful whose blog you're reading these days: Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network.

This Storm infection is not simple comment spam, where spammers post their junk messages and malware as blog comments. "These are blogs that post spam," says Alex Eckelberry, CEO of Sunbelt Software, who has been studying the posts. He says he hasn't seen any legitimate blogs bites being hacked and sprinkled with Storm, but he's still researching the trend.

Eckelberry, who first discovered Storm executable files on several blogger sites this week, says Storm is showing up on blogs that use the mail-2-blogger feature, where bloggers can post via email. Google does have a CAPTCHA defense in place to prevent this kind of infection, requiring some bloggers to manually enter their code in order to post their blogs.

"But these guys are somehow flying under the radar," Eckelberry says. "I have no idea how they are doing this."

One site he found that's laden with Storm as well as spam junk is http://www.visionbuzz.blogspot.com/, for instance. And a Google search for Storm's infamous keywords, including "dude what if you wife finds this" and "man your insane," comes up with hundreds of blog sites, he says.

Storm is often referred to as a worm, but it's technically a Trojan. It relies on social engineering, with a tempting message and link, and it's all about expanding spam and the underlying botnet behind it, notes Joe Stewart, senior security researcher for SecureWorks. Although it's less dangerous than a traditional worm, it ranks in the top five most prolific threats, he says.

"You're not in danger of identity theft -- it's really not all that dangerous to the person who's been infected... It's really more dangerous to the Internet architecture as a whole," he says.

The Trojan gives Storm's bot army the ability to launch powerful distributed denial of services attacks, Stewart says. "But that's not its only purpose. It's also to make money, [such as from] stock spam."

"It's very disturbing to have Storm executables being linked onto sites we can control. But blog sites that Storm is operating off of are hard to control," Eckelberry says. "We've been working with Google in getting this shut down, and Google has been very helpful."

Why are the bad guys starting to plant Storm executables in blogs? "It's all about the numbers," says Randy Abrams, director of technical education for Eset, an anti-malware vendor. "The more places you can get the links out to, the more uneducated users you will trick into clicking on them and then infecting themselves. This, in turn, expands the botnet, which increases the profitability of [the exploit]."

Storm Botnet Is Behind Two New Attacks

Quote:

We've gotten a number of submissions about the new tricks the massive Storm botnet has been up to. Estimates of the size of this botnet range from 250K-1M to 5M-10M compromised machines. Reader cottagetrees notes a writeup at Exploit Prevention Labs on a new social engineering attack involving YouTube. The emails, which may be targeted at people who use private domain registrations, warn the recipient that their "face is all over 'net" on a YouTube video. The link is to a Storm-infected bot that attacks using the Q4Rollup exploit (a package of about a dozen encrypted exploits). And reader thefickler writes that the recent wave of "confirmation spam" is also due to Storm, as was the earlier, months-long "e-card from a friend" series of attack emails.

[taslayer]

Storm Botnet Puts Up Defenses And Starts Attacking Back

Quote:

The Storm worm authors have another trick up their sleeves.

The massive botnet that the hackers have been amassing over the last several months actually is attacking computers that are trying to weed it out. The botnet is set up to launch a distributed denial-of-service (DDoS) attack against any computer that is scanning a network for vulnerabilities or malware. All this, according to Doug Pearson, technical director of Ren-Isac, which is a collaboration of higher-education security researchers.

Ren-Isac, which is supported largely through Indiana University, recently issued a warning to about 200 member educational institutions and then put out a much broader alert, warning colleges and universities that their networks could come under heavy attack.

The warning noted that researchers have seen "numerous" Storm-related DDoS attacks recently. As the new school year is about to get underway, Ren-Isac is advising security professionals that the new attack "represents a significant risk" for the educational sector.

With students returning to campus in the next few weeks, schools are expected to scan the servers on their network to find vulnerabilities and malware that the students are bringing back with them. When the scanner hits an infected computer that is part of the Storm botnet, the rest of the botnet directs a DDoS attack back against the computer running the scan, explained Pearson in an interview with InformationWeek. The attacks can last more than a day, and can involve "very significant" traffic.

"It's a new behavior for a botnet," said Pearson. "It's acting in a defensive manner. It is a little [scary], isn't it?"

He noted, however, that this is more of a danger to schools than it is to corporate enterprises simply because of the placement of the scanners. Often, explained Pearson, universities and colleges don't have their scanners on a private network so it's visible to the Internet at large. If it was protected on a private network, the way it's done with most enterprises, the botnet would not be able to find it so there wouldn't be an IP route to send the DDoS packets.

"This is the first time I've seen an automated response like this," said Gunter Ollmann, director of security strategy at IBM's Internet Security Systems. "It has less to do with the Storm worm and more to do with the structure of the botnet."

Since the beginning of the month, some researchers have been warning that as the Storm worm grows into a prolonged online siege 10 times larger than any other e-mail attack in the last two years -- amassing a very large botnet -- its authors could be setting themselves up to launch a damaging denial-of-service attack.

Researchers at SecureWorks and Postini have said they think the Storm worm authors are cultivating such an enormous botnet to do more than send out increasing amounts of spam. All of the bots are set up to launch denial-of-service attacks and that's exactly what they're anticipating. DoS attacks are designed to pound computers with countless questions that flood its ability to respond, effectively taking the machine down.

And the latest discovery about the botnet's ability to defend itself with DDoS attacks is perhaps another sign that the Storm worm authors are adept at changing tactics.

Last week, researchers at SecureWorks discovered that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages. E-mail-based attacks -- phony e-cards and fake news alerts -- have worked exceedingly well, helping the attackers build up a massive botnet.

Don Jackson, a security researcher at SecureWorks, said in an interview that slowly but surely IT managers and consumers are getting better at blocking or at least ignoring the e-mail attacks, so the Storm worm authors are setting up a secondary attack venue.

The Storm worm was first spotted this past January and has been picking up speed and ferocity in the past several months.

Storm Worm Attack Shifts To Malicious Web Pages

Quote:

The virulent Storm worm which has been hammering the Internet has changed tactics, opening up a new attack vector.

Researchers at SecureWorks discovered late Wednesday that the Storm worm authors have taken their full attention off of e-mail-based attacks and have started creating malicious Web pages. E-mail-based attacks -- phony e-cards and fake news alerts -- have worked exceedingly well, helping the attackers build up a botnet at least 1.7 million strong, according to SecureWorks.

So, why change what's working?

Don Jackson, a security researcher at SecureWorks, said in an interview with InformationWeek that slowly but surely IT managers and consumers are getting better at blocking or at least ignoring the e-mail attacks, so the Storm worm authors are setting up a secondary attack venue.

"I think people are aware of the e-cards and the e-mail links by now," he added. "This is a way to continue its almost unprecedented distribution... Oh, the e-card [attack] is still growing. The use of the Web is just an indication that they expect that growth to slow and it has recently. It's still increasing but it's not increasing as sharply as it was."

Jackson said he spotted two malicious Web sites that have the Storm attack malware embedded in them. One site was set up specifically for malicious purposes, while the second is a legitimate site that attackers hacked into and infected. The legitimate site is a community forum for fans of Apple's Mac computers. Oddly enough, the malware doesn't affect the Mac -- onlyMicrosoft( MSFT)'s Windows platform, and specifically the Internet Explorer browser.

Jackson noted that the attackers may have been trying to take advantage of all the hubbub around the new iMacs, which were announced this week. However, they simply may have been looking for any low-hanging fruit in terms of Web sites easy to infiltrate.

The attackers are using IFrame, which is an HTML feature that makes it possible to embed elements of one Web page inside another. Attackers trying to hijack legitimate pages often use IFrames to drop in, for example, a bank's logo or its password entry feature.

Last week, when the Storm worm was still focused exclusively on e-mail attacks, security company Postini reported that between July 16 and August 1, researchers there recorded 415 million spam e-mails. Before the Storm worm began its attack, an average day saw about 1 million virus-laden e-mails crossing the Internet. On July 19, Postini recorded 48.6 million and on July 24, researchers tracked 46.2 million malicious messages -- more than 99% of them are from the Storm worm.

The Storm worm was first spotted this past January and has been picking up speed and ferocity in the past several months.

Late in July, researchers said the Storm worm had erupted into the worst malware attack in the last two years. Last week, researchers said they have grown worried that the giant botnet that the authors have been building could be used to launch a massive denial-of-service attack

[taslayer]

detection results

Code:

Antivirus  	Version  	Last Update  	Result
AhnLab-V3	2007.9.1.0	2007.08.31	Win32/Zhelatin.worm.138240.B
AntiVir	7.4.1.66	2007.08.31	Worm/Zhelatin.HJ
Authentium	4.93.8	2007.08.31	W32/Tibs.XB
Avast	4.7.1029.0	2007.08.31	Win32:Tibs-BCY
AVG	7.5.0.484	2007.08.31	Generic6.WTZ
BitDefender	7.2	2007.08.31	Trojan.Peed.PB
CAT-QuickHeal	9.00	2007.08.31	-
ClamAV	0.91.2	2007.08.31	Trojan.Small-3273
DrWeb	4.33	2007.08.31	BackDoor.Groan
eSafe	7.0.15.0	2007.08.29	Win32.Zhelatin.hj
eTrust-Vet	31.1.5100	2007.08.31	Win32/Pecoan
Ewido	4.0	2007.08.31	-
FileAdvisor	1	2007.08.31	-
Fortinet	3.11.0.0	2007.08.31	W32/Tibs.HJ@mm
F-Prot	4.3.2.48	2007.08.31	W32/Tibs.XB
F-Secure	6.70.13030.0	2007.08.31	Email-Worm.Win32.Zhelatin.hj
Ikarus	T3.1.1.12	2007.08.31	Backdoor.Win32.Agent.amd
Kaspersky	4.0.2.24	2007.08.31	Email-Worm.Win32.Zhelatin.hj
McAfee	5110	2007.08.31	W32/Nuwar@MM
Microsoft	1.2803	2007.08.31	-
NOD32v2	2494	2007.08.31	-
Norman	5.80.02	2007.08.31	W32/Tibs.dam
Panda	9.0.0.4	2007.08.31	Generic Malware
Prevx1	V2	2007.08.31	-
Rising	19.38.42.00	2007.08.31	Worm.Mail.Win32.Zhelatin.dau
Sophos	4.21.0	2007.08.31	W32/Bagz-I
Sunbelt	2.2.907.0	2007.08.25	-
Symantec	10	2007.08.31	Trojan Horse
TheHacker	6.1.9.175	2007.08.31	W32/Zhelatin.hj
VBA32	3.12.2.3	2007.08.30	Email-Worm.Win32.Zhelatin.hj
VirusBuster	4.3.26:9	2007.08.31	I-Worm.Zhelatin.AA
Webwasher-Gateway	6.0.1	2007.08.31	Worm.Zhelatin.HJ
Additional information
File size: 138263 bytes
MD5: f9d0ed9ce1af9a300160a6f1ed8e91da
SHA1: 82509815f244f896dd3df8cf96a043d2a53933b9

anubis

Code:

Table of Contents

1. General Information
2. video(2).exe

1. General Information
Information about Anubis' invocation
Time needed: 	121 s
Report created: 	8/31/2007, 10:51:51 PM
Termination reason: 	Timeout
Program version: 	1.13
2. video(2).exe
General information about this executable
Analysis Reason: 	Primary Analysis Target
Filename: 	video(2).exe
MD5: 	f9d0ed9ce1af9a300160a6f1ed8e91da
CRC32: 	2B77AD71
File Size: 	138263 Bytes
Command Line: 	
Process-status at analysis end: 	alive
Exit Code: 	0

Load-time Dlls
Module Name 	Base Address 	Size
	0x7C910000 	0x1

PEiD Output
Nothing found [Overlay] *

more atricles

Code:

The biggest malware threat we’re dealing with at the moment is definitely the Storm worm. Unless your e-mail address is ultra secret, you probably received more than a couple of infamous e-card e-mails asking you to visit a strange URL address that can potentially lead to your machine being infected with the Storm worm.

While the Storm worm hasn’t brought anything really new, the authors definitely went a step further – the Storm worm’s code looks much better than a lot of malware we’ve seen. And besides that, you have a custom packer that makes analysis and detection more difficult, rootkit capabilities so it’s completely hidden, P2P botnet control and so on.

While analyzing one sample I noticed that the Storm worm tries to detect if it’s running in a virtual environment. This became pretty popular with malware writers lately. The main reason they're doing this is (presumably) to make analysis more difficult. The first step in malware analysis today is typically to run it in an isolated environment and to monitor its behavior.

By detecting virtual machines and changing the behavior, malware authors make analysis more difficult – an AV researcher either has to run the malware on physical machines, modify the virtual environment he’s using to prevent detection or manually analyze the malware. That being said, virtual environment detection is also a double edged sword for malware authors – by implementing something like this they are effectively losing certain number of potential victims which will only be higher in the future, as virtual machines are more and more popular (especially for servers).

The Storm worm tries to detect two popular virtual machine products: VMWare and Microsoft’s VirtualPC. If it detects that it’s running in one of these products it will simply reboot the machine – the machine will not be infected. So, let’s see how the Storm worm does this.

VMWare detection

Code:

The method used above was published by Ken Kato (http://chitchat.at.infoseek.co.jp/vmware/backdoor.html) and it uses VMware’s “backdoor” I/O port. Basically, VMWare supports a magic number (0x564D5868 = “VMXh”) that has to be used with VMWare’s I/O port (0x5658 = “VX”). After the IN instruction, if the program is running in VMWare the EBX register will contain the magic number. This method makes it trivial to detect VMWare (there are many, many other ways for doing this). Of course, if you are manually debugging this you can just change the result of the CMP instruction (zero the Z flag) and the Storm worm will not detect that you’re running in VMWare.

Code:

The Storm Worm uses Elias Bachaalany’s method (http://www.codeproject.com/system/VmDetect.asp - this web site seems to be down at the moment) for VirtualPC detection. Basically this method consists of using illegal instruction opcodes. The program sets an exception handler that is called on normal CPUs when an illegal instruction is encountered. However, if you are running in VirtualPC this will not happen and the program can easily detect if this is the case (the EBX register will stay 0 if VirtualPC is running).

It will be interesting to see if malware authors will change these tactics in the future as the number of virtual machines will grow for sure. As I already wrote – virtual environment detection is a double edged sword – it makes malware analysis more difficult (it is not always easy to circumvent detection as in this case) but it also decreases the number of potential victims. It is also clear that malware authors keep improving their code and that they are keeping an eye on research fields that interest them, such as virtual machine detection.

 

UPDATE: Some e-cards do like virtual environments …

I’ve received several submissions from our readers about samples that do work in virtual environments, especially in VMWare.

The sample I originally analyzed was one of the first variants of the Storm worm, acquired back on 2nd of July. After I received these e-mails I decide to quickly analyze couple of fresh samples (after all, I just need to check my e-mails – over the night I received a dozen of them).

Indeed, I found out that the latest versions of the Storm worm work in VMWare without any problem. What’s even more interesting, the latest sample I analyzed didn’t even try to hide itself – the process was nicely visible from the user land.

While I haven’t analyzed this further, there seem to be two main variants, just judging by their file size. Here are some samples I acquired, with their file sizes:

139238        fc66e6af9efd1cabdc52cf9aafd75140
96740         fc6c3532b4e27cb9ea59fde9898a6927
96695         fc7cee5c1e5717c10cf709c96e563d9c
96729         fc8c88a4d571afc8f2bc8eaec6eea759
96850         fd236947368d63c80dcd58eb809354d4
139247        fd3a02abc6ebc5001a6e3ba614579079
96771         fd436facccb626fadc5eecaa8c092d05
139173        fe2da62aa2ce1f0a54e78a50b2f538d7
139192        fe4ec24803b9f5f42cff13aaf8932b6b
139169        fe55823bfed577f1882c4ef79d683919

I’m not sure yet, but it looks like the 139kb variant includes a rootkit, while the 96kb one doesn’t.

One other thing I noticed was that almost all received e-card e-mails were marked by spam by my e-mail system. After checking the triggered rules (by SpamAssassin) it looks like the combination of DCC+Razor+various RBLs does the job. This also makes sense - since e-mails are almost identical (with minor changes) it is very easy to detect them as spam with fuzzy matching algorithms such as those used by DCC and Razor.

--
Bojan

[taslayer]

more A new round of storm worm attacks are playing on people's paranoia against being watched online.

This time the lure leads users to a "TOR download" page, which is... surprise, surprise... fake.


Clicking on the button in that webpage will download a malicious file called tor.exe into the system. This file is already detected as Email-Worm:W32/Zhelatin.IL.

Do note that the real TOR application is hosted on http://tor.eff.org/. For those unfamiliar with it, it is a system designed to enable its users to communicate anonymously over the Internet.

[taslayer]

Stony Stevenson writes to mention that some security researchers are claiming that the Storm Worm has grown so massive that it could rival the world's top supercomputers in terms of raw power. "Sergeant said researchers at MessageLabs see about 2 million different computers in the botnet sending out spam on any given day, and he adds that he estimates the botnet generally is operating at about 10 percent of capacity. 'We've seen spikes where the owner is experimenting with something and those spikes are usually five to 10 times what we normally see,' he said, noting he suspects the botnet could be as large as 50 million computers. 'That means they can turn on the taps whenever they want to.'"

[Christina]

phew!!!!!!!!!!

That doesnt sound good.....

[taslayer]

sounds like the auther has no life and that the people infected are morons

[taslayer]

moreinfo on da worm i wish i had the sourcecode to .

Quote:

Storm Worm linked to spam surge

Quote:

A recent upsurge in Storm Worm activity was accompanied by a spike in spam levels 48 hours later, according to an analysis by managed security services firm MessageLabs.

After the August 15 outburst, which involved the distribution of 600,000 Trojans in only 24 hours, junk levels increased on August 17 by more than 30 per cent. These levels sustained for the next week and then returned to normal.

The August outbreak involved virtual postcards and YouTube video invites. More recently Storm Worm-themed emails have posed as links to National Football League fixtures lists.

Although the body text and subject line keep changing, the emails always consist of simple text or HTML including a single link to an IP address. That IP address refers to another infected machine within the botnet, which subsequently redirects to a back-end server in an attempt to infect the victim with a copy of the Storm Worm Trojan code. The back-end server automatically re-encodes the malware every thirty minutes to make signature detection difficult for traditional anti-virus vendors.

Infection turns PCs into zombie spam drones under the control of hackers. MessageLabs reckons the Storm Worm botnet accounts for 1.8m compromised PCs worldwide.

The location of the command and control servers used to manipulate the botnet are safeguarded behind a rapidly-changing DNS technique known as ‘fast-flux’, making it difficult to locate and take down hosting sites and mail servers.

Based on the tactics and techniques used in outbreaks, MessageLabs reckons the Storm Worm gang is a small group of young adults, likely to be in their early 20s, and from Russia.

"It is unlikely that the Storm Worm gang is an organised criminal group as the underworld, or shadow economy, is largely constructed of a loose affiliation of disconnected but highly-specialised individuals and small groups," said Paul Wood, MessageLabs security analyst. "Their motive is to make as much money from the botnet as possible."

"StormWorm’s closest rival botnet, Warezov, is likely to be Asian in origin," he added. ®

[BodShane]

Taslayer can you provide us more information on Storm worm effect and ways to disable it.

[taslayer]

make me work... use google... na ill be nice
how to get rid of the worm... download my worm.... it kills all other worms :P
(actually that would work if i made the exe remove itself after infection, but it would still be concitered a virus due to the fact all antivirurs dont want to be upshown by a 16 year old.)
all i can say is Delete all files that are detected as W32.Storm.Worm and remove the added registry values.
ie delete ur surrent user/run etc. :P and your moo.dll (do not remove moo.dll it is a important system file with a funy name wich makes it automaticly cool.)

[MR. Maniac]

Thanks Taslayer for giving us this information

[linux tech]

To be honest, i havent detected the same on my sys atleast. :D

[taslayer]

you only getit if you are stupid enough to click the links in ur email

[Rodricks]

I think linux tech now you understood why you din't face this problem