Every year, there’s always at least one major malware outbreak that rampages across the globe. Remember 2007? Back then, a threat called “Storm Worm” caught mainstream media attention for affecting millions of computers. In fact, the malware’s distributed computing capability was so powerful that it easily outperformed the world’s most powerful supercomputer at the time.
What Does the Storm Worm Do?
While commonly referred to as the Storm Worm, this malware is technically not a worm but rather a Trojan horse, in that it contains malicious functions while claiming to be a legitimate program. The malware is also known as Peacomm, Nuwar and Small.DAM. It compromises computers that run certain versions of the Windows operating system.
Once active in the system, the Storm Worm injects a file called wincom32.sys that surreptitiously runs as a device service driver. The worm opens a number of UDP ports to establish contact with a private, encrypted peer-to-peer (P2P) network based on the Overnet protocol. When contact is made, it registers the computer as a new peer in the P2P network, where it waits for instructions from its controllers. The network is also where the Storm Worm may download several files, usually named game0.exe through game5.exe. These files have unique functions, which include launching distributed denial-of-service (DDos) attacks, installing a backdoor through which the controllers can remotely access the computer, stealing email addresses, and using these email addresses to spread the virus further.
The entire process essentially aims to make the infected computer be part of a large, for-profit botnet that’s under the control of the Storm Worm creators. But unlike the typical botnet, the Storm Worm botnet does not rely on a centralized server for command and control. Instead, command and control is embedded into each peer in the P2P network. This makes the whole operation more difficult to be taken down by law enforcements, because when a node is shut down, other nodes can easily take its place.
Note that there’s a similarly named malware called W32.Storm.Worm, which was released in 2001 to initiate DDoS attacks against http://www.microsoft.com.
How Does the Storm Worm Spread?
One of the ways the Storm Worm spreads is through email as an EXE file attachment. The malware author makes use of social engineering to encourage users to download and open the attachment. Specifically, the subject line of an infected email mentions fake, yet sensational, stories to incite rabid curiosity. The subject line would be something like “a killer at 11, he’s free at 21 and killing again,” “naked teens attack home director,” and “radical Muslim drinking enemy blood.” An infected email may also pose as a holiday greeting from a loved one, claiming to have a link to an e-card that actually unleashes the Storm Worm.
The infected email may also claim to have the latest news about a recent event. For instance, infected emails in 2008 had subject lines that mentioned fictitious deadly earthquakes and catastrophes in China to exploit the anticipation and hype of the Beijing Olympics. The Storm Worm actually got its name for spreading emails that carried the subject line “230 dead as storm batters Europe,” which refers to the European windstorm Kyrill in 2007.
Email providers have toughened their security measures against malicious attachments, primarily by prohibiting the sending of EXE file attachments. In response, the Storm Worm uses compromised Web pages to spread its payload. Some variants of the malware still spread through email, but they hide inside password-protected ZIP files (with the password mentioned in the email body) to bypass the restrictions set by email providers.
Where Did the Storm Worm Come From?
The Storm Worm first appeared at the start of 2007. To this day, no one knows who controls the worm. Some security researchers believe that the controllers are from Russia and affiliated with the cyber crime organization Russian Business Network.
Is the Storm Worm Prevalent Today?
The Storm Worm is often considered one of the worst malware attacks in recent history. Estimates put infected or zombie computers at around a million (though some other estimates suggest around 10 million, even 50 million) at its height in 2007.
Fortunately, Microsoft and security vendors were quick to respond with detection and removal tools that helped users clean the Storm Worm from their computers. Recent data now shows the worm sitting at merely thousands of computers, instead of millions.
How Can You Protect Yourself From the Storm Worm?
Widespread or not, the Storm Worm is easy to detect and avoid these days. Do not open file attachments and links in unsolicited email messages, even if they claim to have information and news about current events. Be cautious regardless of whether or not your antispam does not mark an email as malicious or spam. Keep your antivirus software updated to combat the threat of the Storm Worm and other malware.
How Can You Tell if Your Computer Has the Storm Worm?
The Storm Worm is subtle; it doesn’t exhibit any symptoms immediately and may lie dormant until it receives instructions from its controllers. It attaches to a host computer like a parasite without causing major damage or significant impact on performance. However, the worm may reboot the computer without warning when executed for the first time. Some variants of the malware may also terminate applications that contain “mcafee,” “taskmgr,” “msconfig,” “avg,” and other security- and utility-related terms not long after launch.
How Do You Remove the Storm Worm?
Manual removal is not necessary, especially since there are many removal tools already available that can remove the Storm Worm. These tools include Microsoft Safety Scanner and Sophos Virus Removal Tool. Most security products with real-time protection are able to detect and automatically get rid of the worm.