Tuesday, December 25, 2007

New Years Storm deja vu

Not content to settle for all the new bot's they got for Christmas, the RBN would like to wish you a Happy New Year as well with hxxp://uhavepostcard.com/happy2008.exe.
New hash, 5bb3606d36019142507043f30401c5d2, same malware as that we received when we fell for the Christmas strip show they offered us ;-).
Again, it copies itself to C:\WINDOWS as disnisa.exe, writes the same registry keys and config file, and follows the same network attributes as mentioned in previous post, but better AV coverage now that this variant's been around for a few days:

AntiVir - Worm/Zhelatin.ob
Authentium - W32/StormWorm.P
BitDefender - Trojan.Peed.IRE
CAT-QuickHeal - (Suspicious) - DNAScan
DrWeb - Trojan.Packed.263
eSafe - Suspicious File
eTrust-Vet - Win32/Sintun.AT
F-Prot - W32/StormWorm.P
F-Secure - Packed.Win32.Tibs.gu
Kaspersky - Packed.Win32.Tibs.gu
Microsoft - Trojan:Win32/Tibs.gen!ldr
Prevx1 - Stormy:Worm-All Variants
Symantec - Trojan.Peacomm.D
Webwasher-Gateway - Worm.Zhelatin.ob

I was further intrigued by the name they chose for the .exe, in particular, disnisa. Appears it was or is the name of a wine and spirits import company in Nicaragua, importers of Heineken, Chivas Reagal, Cuervo, Concha y Toro, and Moet & Chandon. Is there correlation given the time of year? Who knows.
Happy New Years from disnisa. Drink the product (responsibly), but don't open the ecard. ;-)

New Years Storm deja vu at del.icio.us Digg New Years Storm deja vu


Anonymous said...

Nice info !!

Anonymous said...

Unfortunately, my computer is infected. Any ideas on how to get it off? My virus software says that it is not able to fix these types of files yet. Ughh...don't people have anything better to do with their time? Thanks for the info. and have a HAPPY NEW YEAR!! no pun intended!!

Russ McRee said...

Removing Storm, once infected, is a something of a crapshoot.
1) If at all possible, you really should wipe the drive and start fresh with a reimage if a corporate machine, or an OS reload if home based. Never an easy process, but closest thing to a guaranteed clean system. No matter how you do it, be sure AV is running and fully updated, and that the system is fully patched before doing anything else on the internet. Even just putting back on the network before these steps has risk and represents a classic Catch-22.
2) If unable or unwilling to blow the system away, try one of the online scanners, including F-Secure's.
This malware will often disable existing AV installations, and there are no guarantees with online scanners, but it's worth a shot. Good luck.

Moving blog to HolisticInfoSec.io

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...