Storm Worm: follow up

This blog post is a follow up of the first done by Jacques.

We've monitored the situation today, even though the Storm worm is back a bit before our expectations.

Again, in Storm gang tradition, they made use of a new polymorphic packer to delay detection of the new release by antivirus companies.

We've monitored during last 40 hours 253 different repacked variants of the Storm worm release, this means a new variant every 9 or 10 minutes. Definitely a nightmare.

A part from this, nothing really new technically speaking from the last version released over Christmas time.

The rootkit dropper is named burito[postfix].sys and the config file is called burito.ini, both dropped inside Windows System directory.

But, knowing how many times the Storm gang changed the rootkit prefix name during last attack, we are expecting a change is going to be made when most of antivirus companies will detect this release.

This time they aren't using domains to spread the malware, but directly IP addresses belonging to the botnet. This mean that blocking the spreading is more difficult now.

Actual subjects and mail body texts used to spread the malware are these:

• A Dream is a Wish
• A Is For Attitude
• A Kiss So Gentle
• A Rose
• A Rose for My Love
• A Toast My Love
• A Token of My Love
• Come Dance with Me
• Come Relax with Me
• Destiny
• Dream of You
• Eternal Love
• Eternity of Your Love
• Falling In Love with You
• For You....My Love
• Happy I'll Be Your Bride
• Heavenly Love
• Hugging My Pillow
• I am Complete
• I Love Thee
• I Would Dream
• If Loving You
• In Your Arms
• Inside My Heart
• Kisses Through E-mail
• Love Is...
• Magic Power Of Love
• Memories of You
• Miracle of Love
• My Love
• Our Love is Free
• Our Love is Strong
• Our Love Nest
• Our Love Will Last
• Pages from My Heart
• Path We Share
• Sending You All My Love
• Sent with Love
• Surrounded by Love
• The Dance of Love
• The Mood for Love
• The Moon & Stars
• The Time for Love
• When Love Comes Knocking
• Words in my Heart
• Wrapped in Your Arms
• You... In My Dreams
• You're in my Soul
• You're In My Thoughts
• You're my Dream
• You're the One
• Your Love Has Opened

The good news is that we detect all variants as Stormy:All Strains-All Variants.

Everything looks like its going like the Christmas attack, so we expect this wave is going to hold up for the next few days.

We'll continue monitoring the situation.