Access Keys:

This article was written to make the community aware of malware that propagates via email called the Storm Worm. With students and faculty returning to campus for the school year, we'd like to make everyone aware of the threat, and what can be done to minimize its impact.

PLATFORMS AFFECTED

All Windows systems where a user reads email and consents to either opening an attachment or a web site.

TECHNICAL DESCRIPTION

The Storm Worm has multiple variations, but it appears as an email with either an executable (EXE) attachment or a link to a web site. The text of the email varies, but is designed to entice the recipient to either open the EXE attachment or visit the malicious web site. One of the more common variations appears as an ecard, with a subject like "You've received a greeting ecard from a Worshipper". If the email appears as a link to a web site, upon clicking the user will be asked to run an EXE file. Some recent variations include web browser exploits which will launch the EXE file without user intervention. Once the malware is launched, the Storm Worm uses the peer-to-peer protocol eDonkey to connect to other infected machines. This protocol uses UDP over arbitrary port numbers. The worm will immediately begin to send mass amounts of email to other addresses. Many of the variations also include rootkit functionality to hide the executable sending the mail.

There have been reports that machines infected with the Storm Worm will respond to network scans by launching a network denial-of-service attack on the scanning machine. We've observed RootkitRevealer from Microsoft will detect the rootkit as an EXE or SYS file in the C:\WINDOWS or C:\WINDOWS\SYSTEM32 directories.

It's important to understand that this worm is constantly evolving and may begin to behave differently, and require different methods of detection. The email messages the worm generates are changing on an almost daily basis.

RESPONSE

ITSS is using Arbor Networks' Peakflow X to monitor the campus for signs of infected machines. They have also been working with ResNet and U-M VirusBusters to ensure students are aware of the threat. The central mail servers on campus scan incoming email for viruses, but some messages, particuarly ones containing only links, may continue to be delivered.

ACTION ITEMS

• Make your users aware of the threat, and advise them to immediately delete unsolicited email containing executable attachments or links.
• Ensure your machines are running the latest anti-virus software.
• Ensure your machines have security patches regularly applied.
• If you find an infected machine, please let us know by sending email to security@engin.umich.edu so we can monitor the situation.

REFERENCES

• http://www.itss.umich.edu/
• http://virusbusters.itcs.umich.edu/
• http://www.avertlabs.com/research/blog/index.php/2007/08/22/
• http://www.f-secure.com/weblog/archives/archive-082007.html#00001255
• http://www.f-secure.com/weblog/archives/archive-082007.html#00001253
• http://www.f-secure.com/weblog/archives/archive-082007.html#00001249
• http://isc.sans.org/diary.html?storyid=3259
• http://www.theregister.co.uk/2007/08/07/storm_worm_spike/
• http://www.symantec.com/enterprise/security_response/weblog/2007/01/trojanpeacomm_building_a_peert.html
• http://www.secureworks.com/research/threats/view.html?threat=storm-worm
• http://www.networkworld.com/news/2007/080207-black-hat-storm-worms-virulence.html