"Storm worm" sloshes through the internet
A number of makers of anti-virus software are currently warning of an outbreak of the Windows malware Trojan-Downloader.Win32.Small.dam. The malware, also known as "storm worm", tries to grab users' attention with sensational messages concerning hurricane Kyrill. However, because the trojan is not, according to current knowledge, self-spreading, it is not actually a genuine worm.
Infected e-mails carry messages with subject lines such as "230 dead as storm batters Europe" and claims to contain a video as an attachment. Unsurprisingly, the attachment, in the form of an executable file called FullClip.exe, FullStory.exe or FullVideo.exe, conceals a trojan. Other e-mails, also distributed via spam lists, have subject lines relating to an alleged genocide of British Muslims or to Condoleezza Rice kicking Angela Merkel during her visit.
The trojan downloads further files from the internet. What exactly it does the anti-virus companies do not reveal. According to GDATA, one action it takes is to install the rootkit Win32.agent.dh. According to Sophos, since midnight one in 200 e-mails contains the trojan. Ikarus claims to have already seen 20,000 infected e-mails containing 11 different variants of the trojan. Not all anti-virus producers have yet made available signatures for detecting the trojan.
Whether or not it can really be classed as an outbreak is questionable. Anti-virus producer Ironport, recently acquired by Cisco, does not detect an outbreak in its statistics. Other observers have also failed to detect any examples on the web. Despite this users should, as ever, not open suspicious attachments and should exercise great caution with all e-mails received. The recent trojans in fake 1&1 and GEZ invoices illustrate how many users act without thinking.
Further information on protection from viruses and worms can be found in heise Security's anti-virus section. The c't e-mail check gives detailed information on typical hazards relating to e-mails and tips for configuring settings.