E-mail this

  • Home

  • Search
  • Send Comments
  • What's New
  • Hottest 25
      Legends

  • Odd News
  • Glossary
  • FAQ

  • Autos
  • Business
  • Cokelore
  • College
  • Computers

  • Crime
  • Critter Country
  • Disney
  • Embarrassments
  • Food

  • Glurge Gallery
  • History
  • Holidays
  • Horrors
  • Humor

  • Inboxer Rebellion
  • Language
  • Legal
  • Lost Legends
  • Love

  • Luck
  • Media Matters
  • Medical
  • Military
  • Movies

  • Music
  • Old Wives' Tales
  • Photo Gallery
  • Politics
  • Pregnancy

  • Quotes
  • Racial Rumors
  • Radio & TV
  • Religion
  • Risqué Business

  • Science
  • September 11
  • Sports
  • Titanic
  • Toxin du jour

  • Travel
  • Weddings

  • Message Archive
 
Home --> Computers --> Virus Hoaxes & Realities --> Storm Worm

Storm Worm

Virus:   Storm Worm.

Status:   Real.

Example:   [Collected via e-mail, 2007]

Subj: 230 dead as storm batters Europe

Attachment: video.exe

Origins:   The "Storm Worm" (so named because the spam e-mail messages that carried it commonly bore the subject line "230 dead as storm batters Europe") began hitting computers around the world in mid-January 2007. The malicious payload it carries (which may be one of several, including Trojan.Peacomm or Win32.Small.DAM, a variant of Win32.Small) affects most Windows-based platforms (i.e., Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP) and is spread as an attachment to e-mail messages, one that installs a Trojan horse onto the message recipient's computer.

The Storm Worm may arrive in a message with any of the following subject lines (intended to lure the recipient into reading the message by offering a political headline of great interest):
  • F.B.I. vs. Facebook
  • Strongest earthquake hits Beijing
  • Death toll in China exceeds 1000000
  • Recent china earthquake kills million
  • 230 dead as storm batters Europe.
  • A killer at 11, he's free at 21 and...
  • British Muslims Genocide
  • Naked teens attack home director.
  • U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  • Russian missle shot down Chinese satellite
  • Russian missle shot down USA aircraft
  • Russian missle shot down USA satellite
  • Chinese missile shot down USA aircraft
  • Chinese missile shot down USA satellite
  • Sadam Hussein alive!
  • Sadam Hussein safe and sound!
  • Radical Muslim drinking enemies' blood.
  • U.S. Southwest braces for another winter blast. More then 1000 people are dead.
  • Venezuelan leader: "Let's the War beginning".
  • Hugo Chavez dead.
  • President of Russia Putin dead.
  • Third World War just have started!.
  • The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!.
  • The commander of a U.S. nuclear submarine lunch the rocket by mistake..
  • First Nuclear Act of Terrorism!.
  • So in Love
  • Happy World Religion Day!
  • Most Beautiful Girl
  • Someone at Last
  • I Believe
  • The Dance of Love
  • The Miracle of Love
  • All For You
  • Vacation Love
  • I am Complete
  • Wrapped Up
  • Moonlit Waterfall
  • A Little (sex) Card
  • A Special Kiss
  • Hugging My Pillow
  • Safe and Sound
  • You're Soo kissable
  • A Romantic Place
  • Breakfast in Bed Coupon
  • For You
  • I Love You So
  • Want to Meet?
  • We Are Different
  • We Have Walked
  • You Asked Me Why
The attachment filename may be any of the following:
  • Full Clip.exe
  • Full Story.exe
  • Read More.exe
  • Video.exe
  • Full Video.exe
  • Full Text.exe
  • Flash Postcard.exe
In April 2007 a new variant of Trojan.Peacomm was unleashed on the Internet, this one varying from the previous "Storm worm" attack in that the attachments carrying the payload were password-protected .ZIP files (which recipients were tricked into unzipping and running to putatively protect themselves from some other worm). E-mails containing this variant typically had subject lines such as the following:
  • ATTN!
  • Spyware Alert!
  • Spyware Detected!
  • Trojan Alert!
  • Trojan Detected!
  • Virus Activity Detected!
  • Virus Alert!
  • Virus Detected!
  • Warning!
  • Worm Activity Detected!

The underlying worm is the same one that has appeared in messages with subject lines as "You've received an e-card from an admirer," the "Laughing Kitty," the "Dancing Skeleton," as well as several game and music download offers. According to spamtrackers.eu:
The storm network is large enough to cut off internet access from any institution its operators choose to attack via a "distributed denial of service attack," in which hundreds or thousands of computers request files
from a server simultaneously. The entire country of Estonia was brought down that way last year. The network is actually available for rent for anyone who wishes to use it to send spam, host illegal websites, or stage denial of service attacks.

Storm is a serious threat for several reasons. It communicates "peer-to-peer" instead of via a "command and control" network. For that reason, you can't just disable a few computers that are feeding instructions to the others. The virus download is encrypted, so it is difficult for antivirus programs to recognize, and infected computers are updated by the peer network on a daily basis to keep antivirus programs from recognizing it once they are updated to recognize previous editions of the virus. The number of infections worldwide is massive, and a quarter of them are on major networks in the US like SBC, Comcast, and Roadrunner. That means that a bank or other business under denial of service attack can't simply block all traffic from certain segments of the internet, because it would be blocking its own users that are sharing those same internet addresses with storm infected computers as they log in and out of the internet. It is believed that Storm's operators are located in St. Petersburg, Russia, are known to the Russian government, and enjoy its protection.

Since antivirus programs will not protect your computer, the most important thing is for people to be extremely suspicious about where they go and what they click on. Never click on any link in an email from someone you don't know. Never click on a link in an advertisement on the internet — if you want to visit that site, look up the address yourself.
Additional information on the Storm Worm (including disinfection/removal instructions) may be found at F-Secure.

Additional information:
Small.DAM Small.DAM
(F-Secure)
Last updated:   1 August 2008

Urban Legends Reference Pages © 1995-2014 by snopes.com.
This material may not be reproduced without permission.
snopes and the snopes.com logo are registered service marks of snopes.com.
 
  Sources Sources:
    Reuters.   "'Storm Worm' Hits Computers Around the World."
    19 January 2007.