Storm worm returns A new variant of the “Storm worm” that reeked havoc across the Internet in January has shown up again. Johannes Ullrich of the SANS Institute said “This is potentially a huge problem, It’s basically impossible to shut this thing down…. And once a user is infected, it’s very hard to get rid of it. They would probably have to reinstall their system.”
The Storm virus is in essence a very simple worm that delivers a malicious payload. The Worm is spread via email with two attachments, an encrypted zip file and an image. The image is the password required to un-zip the malicious payload which claims to be a patch for a new vulnerability. As the payload is hidden inside an encrypted archive, it is very difficult for anti-virus software to detect it and block the email. I would however expect most anti-virus packages to block access to the files on-the-fly using their on-access scanner. Once a user is infected the computer joins a p2p network allowing files to be easily transferred to other hosts. As would be expected the machine also becomes a botnet zombie allowing full remote control of the machine. The worm spreads by emailing itself to all addresses in the victims address book.
The worrying thing about the success of this most recent outbreak is that it depends wholly on user stupidity; running an executable file unexpectedly received via email. Postini handle around 2 billion emails per day of which one million are usually viruses. On the 12th when this outbreak took place Postini reported seeing 7.7 million viruses, 7 million of which were the Storm worm. When will people learn!