Not content to settle for all the new bot's they got for Christmas, the RBN would like to wish you a Happy New Year as well with hxxp://uhavepostcard.com/happy2008.exe.
New hash, 5bb3606d36019142507043f30401c5d2, same malware as that we received when we fell for the Christmas strip show they offered us ;-).
Again, it copies itself to C:\WINDOWS as disnisa.exe, writes the same registry keys and config file, and follows the same network attributes as mentioned in previous post, but better AV coverage now that this variant's been around for a few days:
AntiVir - Worm/Zhelatin.ob
Authentium - W32/StormWorm.P
BitDefender - Trojan.Peed.IRE
CAT-QuickHeal - (Suspicious) - DNAScan
DrWeb - Trojan.Packed.263
eSafe - Suspicious File
eTrust-Vet - Win32/Sintun.AT
F-Prot - W32/StormWorm.P
F-Secure - Packed.Win32.Tibs.gu
Kaspersky - Packed.Win32.Tibs.gu
Microsoft - Trojan:Win32/Tibs.gen!ldr
Prevx1 - Stormy:Worm-All Variants
Symantec - Trojan.Peacomm.D
Webwasher-Gateway - Worm.Zhelatin.ob
I was further intrigued by the name they chose for the .exe, in particular, disnisa. Appears it was or is the name of a wine and spirits import company in Nicaragua, importers of Heineken, Chivas Reagal, Cuervo, Concha y Toro, and Moet & Chandon. Is there correlation given the time of year? Who knows.
Happy New Years from disnisa. Drink the product (responsibly), but don't open the ecard. ;-)
Subscribe to:
Post Comments (Atom)
Moving blog to HolisticInfoSec.io
toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...
-
Continuing where we left off in The HELK vs APTSimulator - Part 1 , I will focus our attention on additional, useful HELK features to ...
-
As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, cons...
-
When, in October and November 's toolsmith posts, I redefined DFIR under the premise of D eeper F unctionality for I nvestigators in R ...
3 comments:
Nice info !!
Unfortunately, my computer is infected. Any ideas on how to get it off? My virus software says that it is not able to fix these types of files yet. Ughh...don't people have anything better to do with their time? Thanks for the info. and have a HAPPY NEW YEAR!! no pun intended!!
Removing Storm, once infected, is a something of a crapshoot.
1) If at all possible, you really should wipe the drive and start fresh with a reimage if a corporate machine, or an OS reload if home based. Never an easy process, but closest thing to a guaranteed clean system. No matter how you do it, be sure AV is running and fully updated, and that the system is fully patched before doing anything else on the internet. Even just putting back on the network before these steps has risk and represents a classic Catch-22.
2) If unable or unwilling to blow the system away, try one of the online scanners, including F-Secure's.
This malware will often disable existing AV installations, and there are no guarantees with online scanners, but it's worth a shot. Good luck.
Post a Comment