Tuesday, 21 August 2007

storm worm: next generation

Sorry for the late right up on this.. but it was more important to get all the signatures out this morning to cover all these variants then to do a write up.

Here's one of the many variants of the storm worm "member"/"logon" emails:

If you do click on the link you either get an auto-downloaded exe file or you get to see the following page (note: firefox pops up a warning about the page [red stop sign])

The exe file you are asked to download is re-packed every 30 mins or so, to try and avoid detection by anti-virus software. The sample above was submitted to VirusTotal with the following results:

Detection for all these email variants was added about 09:30am BST as the following:

Email.Malware.Sanesecurity.07082100 to Email.Malware.Sanesecurity.07082107

No comments: