Home

Storm Worm (W32.Worm.Nuwar.Gen)

Notification Date:	January 19, 2007

Name:	Storm Worm (W32.Worm.Nuwar.Gen)
Public disclosure/ In the wild date:	Jan 19, 2007
Aliases:	Trojan.Peed.Gen (BitDefender), Email-Worm.Win32.Zhelatin (Fortinet), Email-Worm.Win32.Zhelatin (Kaspersky), Win32/Nuwar.gen (Nod32), W32.Mixor (Symantec)
CME:	CME-711
Description:	The Storm botnet has continued to grow and develop new distribution techniques. The most recent surges at the end of August and into Sept. have used SPAM touting YouTube related topics, Tor (a popular anonymizer tool), and the National Football League (NFL) to lure people into clicking a link that downloads and runs the malware. IBM X-Force has tracked around 40K samples of storm and related downloader files to date. Proventia Desktop detects 98% of these samples, ~80% of which were detected through behavioral analysis and/or generic pattern recognition. Proventia Mail and Proventia Multifunction also provide protection through VPS, signature AV, and anti-spam technologies.

ISS Coverage

Product	Content Version
Proventia Desktop Proventia Multifunction Proventia Mail	base version (with VPS enabled)

Propagation
Techniques

ISS Protection

Available

email/spam

PackedFileInfector (VPS)
DisableAV (VPS)
RootkitDropper1 (VPS)

Trojan.Peed.Gen (desktop signature AV)

Troj/JSXor-Gen (Proventia-M signature av)
Mal/Dorf-E (Proventia-M signature av)

2005
2005
May 10, 2007

Jan. 2007

July 1, 2007
Aug 16, 2007

DetectionTechniques

ISS Detection

Available

Network bot detection*

UDP_Storm_Worm (IDS)

Edonkey_Connect (IDS)
Edonkey_Download (IDS)
Overnet_Search (IDS)

Mar 12, 2008

May 6th, 2004
May 6th, 2004
Nov 7th, 2003

* Some variants of the Storm Worm have been known to use the eDonkey or Overnet protocols to communicate and transfer files, which appear to be media files. It is unknown how many variants use this protocol or if its use will be discontinued in the future. Administrators should be aware that these audits will pick up general usage of peer-to-peer networks that may be unrelated to the Storm Worm.

Detailed Description

Brief description:	The Storm Worm is an alias for W32.Worm.Nuwar (aka Mixor), a mass-mailing worm and W32.Trojan.Peacomm, a trojan with bot and rootkit functionality. In early January 2007, W32.Trojan.Peacomm was mass spammed with one of the subjects stating “230 dead as storm batters Europe”, and thus, it was dubbed as the Storm Worm. In the days that followed, another round of W32.Trojan.Peacomm was released ,but this time, it was delivered as a dropped file of the W32.Worm.Nuwar mass-mailing worm. At that point, both Nuwar and Peacomm were collectively called the Storm Worm. The Storm Worm is notorious for its mass-spamming techniques and for employing serial variant attacks where the botnet controllers release hundreds of variants in a very short time-frame.
Affected Platforms:	Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003
Technical Description:	W32.Worm.Nuwar.Gen is a mass-mailing worm which harvests email addresses from the affected system and then send a copy of itself to these harvested email addresses. Additionally, it injects code into executable files (.exe and .scr) so that when these modified executables are executed, a copy of W32.Worm.Nuwar will be executed. Furthermore, it drops an additional trojan component which has a rootkit capability and also capable of downloading additional files, this dropped trojan component is known as W32.Trojan.Peacomm.
Symptoms:	High bandwidth utilization due to mass-mailing behavior Executable files (.exe and .scr) are altered Arbitrary files are downloaded and executed on the affected system
Nuwar Detailed Description:	W32.Worm.Nuwar.Gen is a mass-mailing worm which harvests email addresses from the affected system and then send a copy of itself to these harvested email addresses. Additionally, it injects code into executable files (.exe and .scr) so that when these modified executables are executed, a copy of W32.Worm.Nuwar will be executed. Furthermore, it drops an additional trojan component which has a rootkit capability and also capable of downloading additional files, this dropped trojan component is known as W32.Trojan.Peacomm. Malcode Installation Upon execution, it will drop a copy of itself as %System%\alsys.exe (Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32) It will then create the following registry entry so that its dropped copy will be executed upon system startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Agent = "%System%\alsys.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Agent = "%System%\alsys.exe" Other variants may remove the said autostart registry entries instead. The malcode also disable the Windows Firewall service by updating the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess Start = dword:00000004 To ensure that only one instance of the malcode is running at any given time, it will try to create a mutex named “klllekkdkkd”. Mass-mailing Behavior For its mass-mailing routine, it will harvest email addresses from files located on fixed and network drives, then it will send a copy of itself as an attachment to these harvested email addresses. The format of the email message it sends out is as follows: From: Spoofed and using the format %name%@yahoo.com Where %name% is randomly generated or randomly selected from the following hard coded list of names. • Anita • April • Ara • Aretina • Amorita • Alysia • Aldora • Barbra • Becky • Bella • Briana • Bridget • Blenda • Bettina • Caitlin • Chelsea • Clarissa • Carmen • Carla • Cara • Camille • Damita • Daria • Danielle • Diana • Doris • Dora • Donna • Ebony • Eden • Eliza • Erika • Eve • Evelyn • Emily • Faith • Gale • Gilda • Gloria • Haley • Holly • Helga • Ivory • Ivana • Iris • Isabel • Idona • Ida • Julie • Juliet • Joanna • Jewel • Janet • Katrina • Kacey • Kali • Kyle • Kassia • Kara • Lara • Laura • Lynn • Lolita • Lisa • Linda • Myra • Mimi • Melody • Mary • Maia • Nadia • Nova • Nina • Nora • Natalie • Naomi • Nicole • Olga • Olivia • Pamela • Peggy • Queen • Rachel • Rae • Rita • Ruby • Rosa • Silver • Sharon • Uma • Ula • Valda • Vanessa • Valora • Violet • Vivian • Vicky • Wendy • Willa • Xandra • Xylia • Xenia • Zilya • Zoe • Zenia Subject: Can be any of the following: • Magic of Flowers • Sending You My Love • Together You and I • Window of Beauty • Doing It for You • Evening Romance • Wrapped Up • Most Beautiful Girl • Touched by Love • If I Knew • Heart of Mine • Til the End of Time • With This Ring • Tender Whispers • Soul Partners • With All of My Heart • I Always Knew • Awaiting Your Love • Want to Meet? • So in Love • This Feeling • Red Rose • Until the Day • My Invitation • Worthy of You • You're the One • So in Love • You and I Forever • Words I Write • The Candle's Light • True Love • My Perfect Love • Waiting for You • This Day Forward • Without Your Love • Now and Forever • Thanks...Love • Just You • A Sweet Love • Search for One • A Song to You • If I Could • Hand in Hand • I Win with You • Wine and Roses • Back Together • I Give to You • That Special Love • Our Love • Old Together • Cyber Love • Against All Odds • Hey Cutie • Our Wedding Day • My Eye on You • Unique Love • Full Heart • Forever in Love • To New Spouse • For Better of For Worse • All For You • When I'm With You • Everyone Needs Someone • Heart is Breaking • With All My Love • Cuddle Up • Safe and Sound • Made for Each Other • Someone at Last • You and I • Hold On • All That Matters • Our Two Hearts • You Asked Me Why • Wish Upon a Star • For You • Brand New Love • You're so Far Away • Together Again • I wish • The Long Haul • Love You Deeply • In Love • It's Your Move • Love Birds • Safe With You • Sending Kiss • You + Me • I Would Do Anything • Vacation Love • The Kiss • Hand in Hand • Now I Know • Live With Me • Pockets of Love • He Blessed Our Lives • Two of a Kind • Soul Mates • I Still Love You • Dancing With You • Forever and Ever • Twice Blest • Longing for You • Thinking of You • Twilight Paradise • Wish I Could Tell You • Teddy Bear & Roses • Let's Get Frisky • Cuddle Me Please • Solitary Beauty • Take My Hand • So Unique • P.M.S • We Have Walked • Fields Of Love • I Am Lost In You • Bewitching Moonlight • The Letter • Till Morning's Light • Trunk Full Of Love • Your Silly Smile • Till Morninig's Light • Just You & Me • A Special Flower for You • The Sweet Taste of Love • A Red Hot Kiss • Won't you dance with me • A Special Kiss • Our love is torn by miles • Every Inch of Your Body • My Heart belongs to you • Steamy Dream • Moonlit Waterfall • My Heart is Thinking • A Weekend Getaway • Summer Love • A Hug & Roses • How Much I Love You • Love for Granted • Thinking about you • Angel of Love • You're Soo kissable • From this day forward • In My Heart • Between Us • Hold Me (distant love) • I Would Give you Anything • A Bouquet of Love • I Think of You • Wild Nights--Wild Nights • Memories • You are out of this world • When I look at you • Last Night was Hot! • Peek-A-Boo • You Lucky Duck! • 5 Reasons I Love You • I Can't Function • Our Love Everyday • Emptiness Inside Me • Love is in the Air • We're a Perfect Fit • A Romantic Place • I Love You Mower • The Mood for Love • Love at First Sight • You Brighten My Day • You're My Hero • Can't Wait to See You! • Showers Of Love • You Were Worth the Wait • Crazy way to say I Luv U • Times Are Hard, I Luv U • You Rock Me! • Puppy Love • You Are My Guiding Star • We Are Different • I Woof You • A Monkey Rose for You • A Kiss for You • A Little (sex) Card • The Love Bugs • Kisses, Hugs & Roses • Feeling Horny? • A Day in Bed Coupon • Dream Date Coupon • Bubble Bath Coupon • Steamy Sex Coupon • A Relaxing Coupon • Massage Coupon • Dinner Coupon • Romantic Picnic Coupon • Breakfast in Bed Coupon • Kiss Coupon • Passionate Kiss • Only You • Internet Love • Want You to Know • Will You? • I'll Be Your Man • I Love Thee • I Love You So • Rose for my Love • Baby, I'll Be There • Unmatchable Beauty • I Believe • Dream Girl • I Dream of you • I am Complete • Love Remains • When I'm With You • Our Love is Strong • The Miracle of Love • Inside My Heart • Our Love Will Last • For You....My Love • The Mood for Love • A Token of My Love • Miracle of Love • A Kiss So Gentle • Why I Love You • Falling In Love with You • The Dance of Love • Sending You My Love • Hugging My Pillow • Our Love Nest • Wrapped in Your Arms • I Love You Soo Much • Eternity of Your Love • Our Love is Free • My Love • Your Love Has Opened • When You Fall in Love • The Time for Love • I Love Thee • I Love You with All I Am • Miracle of Love New samples received on April 13, 2007 have the following subjects: • A Dream is a Wish • A Is For Attitude • A Precious Gift • A Rose • A Rose for My Love • A Toast My Love • Come Dance with Me • Come Relax with Me • Destiny • Dream of You • Eternal Love • Happy I'll Be Your Bride • Heavenly Love • I Love You Because • I Would Dream • If Loving You • In Your Arms • Kisses Through E-mail • Last Night • Love Is... • Magic Power Of Love • Memories of You • Our Journey • Pages from My Heart • Path We Share • Sending You All My Love • Sent with Love • Special Romance • Surrounded by Love • The Moon & Stars • When Love Comes Knocking • Words in my Heart • You're in my Soul • You're In My Thoughts • You're my Dream • You... In My Dreams • Your Friend and Lover Body: (Email body is blank) Attachment: Can be any of the following: • Postcard.exe • postcard.exe • Greeting Card.exe • greeting card.exe • Greeting Postcard.exe • greeting postcard.exe • flash postcard.exe • Flash Postcard.exe The new attachment names on Apr. 13 were: • With Love.exe • Love Card.exe • Love Postcard.exe • My Love.exe The malcode avoids sending itself to email addresses containing the following strings: • microsoft • .gov • .mil Modification of Executable Files Some variants of this malcode additionally searches for .EXE and .SCR files and then attempt to modify these executable files so that they will spawn a copy of the malcode which had been dropped on the same folder where these executables are located. The dropped copy of the malcode is hidden and has a filename which format is %name%.t where %name% is a randomly generated string consisting of 8 characters. Antivirus Termination This malcode attempts to terminate antivirus programs and certain utilities by terminating processes having the following strings in their name or in their window title: • anti • viru • troja • avp • nav • rav • reged • nod32 • spybot • zonea • vsmon • avg • blackice • firewall • msconfig • lockdown • f-pro • hijack • taskmgr • mcafee In addition to the processes described, this malcode also terminates the Registry Editor
Peacomm Detailed Description:	W32.Trojan.Peacomm is a malcode dropped by W32.Worm.Nuwar or is being spammed by an attacker (see Mass Spamming of Storm Worm). It operates as part of a P2P botnet using the Overnet protocol. The Overnet protocol is a decentralized P2P protocol commonly used by file sharing networks. By using a decentralized P2P protocol, the difficulty of taking down the entire botnet increases. This trojan installs a rootkit so that the trojan’s dropped files and created registry keys are hidden. It performs its rootkit functionality by modifying the System Service Descriptor Table (SSDT). The following are files the created files of this trojan (hidden by rootkit): %System%\wincom32.sys – rootkit component %System%\wincom32.ini – configuration file Furthermore, it will inject code into the process services.exe. Newer variants of W32.Trojan.Peacomm drops a copy itself into the Windows folders using names such as: %Windows%\spooldr.exe And the loader/rootkit component in the System folder using names such as: %System%\spooldr.sys The loader/rootkit component is responsible for terminating security related tools/applications, locking files including the modified driver (discussed below) to prevent applications from opening these locked files, hooking the SSDT in order to hide a copy of the trojan components from file listings, it also hides the trojan process by modifying kernel process structures Finally, it injects code in the explorer.exe process which loads the copy of the trojan. Finally, a non-malicious driver program is modified so that the loader/rootkit component dropped in the System folder is loaded once the driver program is loaded by the system. Example of these non-malicious driver programs includes: %System%\drivers\tcpip.sys %System%\drivers\kbdclass.sys Once running, this Trojan attempt to inform initial peers that it is active and contact initial peers in order to retrieve additional peer addresses. Once active, it can download and execute possibly malicious files. Furthermore, it can be used to send spam such as pump-and-dump stock spam, an example of which is shown below:
Mass Spamming of the Storm Worm	For the past couple of weeks of August, a surge of new Storm Worm variants had been released in the wild via spam. The malcode author is constantly modifying the spam theme as way to continuously lure users into clicking the link which eventually points to the malcode. Earlier in August, the spam’s theme is e-cards, for which an example format is: Subject: funny card Thank you ecard Animated postcard (etc.) Body: Your %varies% has sent you Thank you %Subject% from e-cards.com. Click on your card's direct www address below: http://xxx.xxx.xxx.xxx/ Copyright (c) 1996-2007 %Varies% All Rights Reserved Another spam theme consists of links to pictures: Subject: Re: Body: Lonely? Me too. Look what I like to do when I get lonely. http://xxx.xxx.xxx.xxx/ or hey baby, I thought you might like these pictures to keep you hot till you get home. http://xxx.xxx.xxx.xxx/ (etc.) Later in the month, the spam theme consists of sending the user a credential for a membership and asking the user to login. An example theme is: Subject: User Verification Member Details (etc.) Body: We are glad you joined Net-Jokes. Membership Number: %Varies% Temp Login ID: %Varies% Temp Password ID: %Varies% Please Change your login and change your Login Information. (or For security purposes please login and change the temporary Login ID and Password.) Follow this link, or paste it in your browser: http://xxx.xxx.xxx.xxx/ (or Follow this Link: Net-Jokes) Enjoy, Membership Support Department Net-Jokes On August 27, the spam had taken a “YouTube” theme in which the user is lured to view a supposedly YouTube video: Subject: Dude your gonna get caught, lol LOL, that is too cool..... oh man your nutz LMAO, your crazy man (etc.) Body: OMG, what are you doing man. This video of you is all over the net. this is the link to it. http://www.youtube.com/watch?v=JNxECy3rSqn (points to a different link: http://xxx.xxx.xxx.xxx/) or You can see your face right in the video. its all over the web dude. here is where I found it... http://www.youtube.com/watch?v=LBgMkykLtQm (points to a different link: http://xxx.xxx.xxx.xxx/) (Etc) All the links in these spam emails eventually points to a web page which generally asks the user to download a file to continue to view the content. Below is an example in the case of the YouTube-themed spam: The link points to a copy of W32.Trojan.Peacomm (in this case is video.exe). The said web page also attempts to exploit several browser based vulnerabilities in order to automatically download another file. Once again, on August 28, the author of the Storm worm changed the spam theme to one that asks the user to beta test a particular software, this time, the link points to the actual copy of W32.Trojan.Peacomm. Below is an example of the beta test-themed spam: Subject: We need you Body: Would you help us with our new software %varies% This will help us put the final touches on this great new software. To say thanks, Beta testers will receive a free copy and 5 years of free updates. Download the software, See What you think, and Email us your thoughts. Ready to be a beta tester? Just follow the link to our easy download center: http://xxx.xxx.xxx.xxx/setup.exe

References

Revision History

Jan 22 2007	IBM Internet Security Systems identified an upsurge of new samples involving the malcode W32.Worm.Nuwar (aka Mixor). In a span of 5 hours, the IBM ISS Catfish system had identified over 30 modifications of this malcode. Each sample has exactly the same behavior and only differs in the encryption keys used to encrypt the malcode.
Feb 5 2007	IBM ISS Catfish system identified another increase in W32.Worm.Nuwar samples being released in the wild. Similar to the samples received on January 22 2007, these new samples drop and execute a variant of W32.Trojan.Peacomm.
Feb 6 2007	IBM ISS Catfish system identified another increase of new W32.Worm.Nuwar samples. In a span of 7 hours, the IBM ISS Catfish system received 11 new samples. These samples are very similar to ones received on February 5 2007, the only difference is that the dropped W32.Trojan.Peacomm variant had been re-packed.
Feb 13-14 2007	IBM ISS Catfish System received another round of W32.Worm.Nuwar.Gen samples. These new samples attempt to use Valentine's Day to social engineer users into clicking the malcode attachment. Specifically, the subject of the email messages they send out is themed after Valentine’s Day.
Apr 13 2007	IBM ISS Catfish System received another round of W32.Worm.Nuwar.Gen samples. These new samples are very similar to the ones that had been received in the Valentine’s Day Nuwar Serial variant attack, similarities includes the same W32.Trojan.Peacomm variant that is being installed on the affected system.
Apr 13 2007	IBM ISS Catfish System received another round of W32.Worm.Nuwar.Gen samples. These new samples are very similar to the ones that had been received in the Valentine’s Day Nuwar Serial variant attack, similarities includes the same W32.Trojan.Peacomm variant that is being installed on the affected system.
Sept 12 2007 Mar 12 2008	New surge of storm worm malware uses YouTube and "beta test" SPAM subjects to continue to expand its bot network. Added additional IDS/IPS detection capabilities.

About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.