Mespam Trojan - New Storm Worm version spreading as blog comments - Security Protection

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Mespam Trojan - New Storm Worm version spreading as blog comments

This new Trojan from the Storm Worm authors, registers a malicious dll as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer. It can then inject a copy of the malicious code into blog comments automatically from an infected PC.

Please avoid any "fun video links" you may see in a blog post as AV protection is very limited at this point.

Mespam Trojan - New Storm Worm version spreading as blog comments
http://secunia.com/virus_information/35867/spam-mespam/
http://vil.nai.com/vil/content/v_141590.htm
http://www.sophos.com/security/analyses/malcimuza.html

Security Watch commentary - New Storm Worm spreading via Blog Posts

QUOTE: A Storm worm variant using both e-mail and Web sites to infect Windows-based PCs is injecting itself into the responses people are leaving on blogs. Dmitri Alperovitch, principal research scientist at Secure Computing, told eWEEK that the worm is injecting itself into the operating system as a rootkit and is capable of intercepting Web traffic.

When a user with an infected system visits a bulletin board or posts to a blog, the worm inserts a malware into his or her comments. The line asks readers to look at a fun video and contains a link leading to a Web site where the malware is waiting to reinfect more users.

The worm is taking over PCs, Secure Computing reports, giving the criminal control for multiple purposes: sending spam, launching DDoS attacks and running keyloggers.

Also notable in this worm is that it's using server polymorphism—i.e., it contains self-modifying code that changes automatically every time it is downloaded. This worm form has been around "for ages," Alperovitch said, such as in the Bagle worm. Morphing worms are designed to avoid antivirus signature detection, and so far, Alperovitch said, it's working, as few major antivirus vendors have detected it.

To avoid infection, the advice is to refrain from clicking on the "fun video" link.

Posted: Feb 28 2007, 05:40 PM by Harry Waldron | with 1 comment(s)

Comments

Zac said:

Do you think it is wise to have an open comment posting option at the completion of this article given the subject matter of the article? Would requiring posters to register in any way help suppress the threat posed in this article?

# November 5, 2007 11:16 PM

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.