Storm Worm detected (UDP_Storm_Worm)

About this signature or vulnerability

BlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia-G 1.1 and earlier:

This signature detects Storm Worm encrypted UDP publicize messages. The number of hosts and ports required to trigger this signature is 'pam.udp.stormworm.count' (30) and the interval in which probes are analysed is 'pam.udp.stormworm.interval' (60) seconds.

Default risk level

High risk vulnerability High

Sensors that have this signature

BlackICE Server Protection: 3.6.cqx, BlackICE PC Protection: 3.6cqx, RealSecure Server Sensor: XPU 28.040, RealSecure Network: XPU 28.040, Proventia Server IPS for Linux technology: 28.040, Proventia Network IPS: XPU 28.040, Proventia Desktop: 2180, Proventia Network MFS: XPU 28.040, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2180, Proventia Server IPS for Microsoft Windows technology: 2.0.252.2180, Proventia-G 1.1 and earlier: XPU 28.040

Systems affected

Microsoft Windows Vista, Microsoft Windows XP, Microsoft Windows 2000

Type

Unauthorized Access Attempt

Vulnerability description

The Storm Worm is a mass-mailing email worm that sends a Trojan dropper via a malicouis email message. Once executed, the Trojan installs a rootkit and causes the infected system to become part of a botnet. The Storm Worm is also know as the following names:

Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)
CME-711 (MITRE)
W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee)
Troj/Dorf and Mal/Dorf (Sophos)
Trojan.DL.Tibs.Gen!Pac13[3]
Trojan.Downloader-647
Trojan.Peacomm
TROJ_SMALL.EDW
Win32/Nuwar
Win32/Nuwar.N@MM!CME-711
Trojan.Peed, Trojan.Tibs

How to remove this vulnerability

Use an up-to-date antivirus program to determine if the target computer is host to the Storm worm. If the program detects a backdoor, follow its instructions to disinfect and repair the computer.

References

Windows Live OneCare Web site
Virus Encyclopedia: Worm:Win32/Nuwar.N@mm!CME-711
http://onecare.live.com/standard/en-us/virusenc/VirusEncInfo.htm?VirusID=8470957

Common Malware Enumeration (CME) - CME List
CME-711 is a Trojan Downloader that is spread as an attachment to emails with news headlines as the subject lines which downloads additional security threats
http://cme.mitre.org/data/list.html

ISS X-Force
Storm Worm detected
http://www.iss.net/security_center/static/40812.php