Web watchers warn of new Storm attack

computer.dude.28  |   Jun 30 2007   1:24PM GMT

This is going around again, this time with an IP address of 74.99.XXX.XXX

computer.dude.28  |   Jun 30 2007   1:26PM GMT

and it tries to install “Remote Data Services Data Control” add-on from “Microsoft Corporation”

E-Card with Something Special - Malware « Entangled  |   Jul 1 2007   3:23AM GMT

[...] I got such a message in early June — a little bit too early. Today I got two, so this time I just googled these IP address and checked out whether there’s a warning posted. At this moment only two posted, Register.uk and <a href="http://SearchSecurity.com" title="http://SearchSecurity. " target="_blank">SearchSecurity.com</a> (where shows the format of fake ecard). “The interesting part is just how multi-layered the attack is - it uses several different exploits, both technical and social. [...]

Stan  |   Jul 2 2007   4:10PM GMT

Here are two more IP’s that are propagating this stuff.

I got the domain names from  <a href="http://www.arin.net/whois/" title="http://www.arin.net/whois/" target="_blank">http://www.arin.net/whois/</a>

this one is from Amsterdam - <a href="http://ripe.net" title="http://ripe. " target="_blank">ripe.net</a>
82.39.44.93

this one is a USA Comcast address
24.3.223.219

I haven’t followed the links just made a note of them.

chris jarrett  |   Jul 2 2007   6:04PM GMT

Will this exploit affect Firefox or just internet explorer and what about the affect of it on Linux and other alternate operating systems?

Bill Brenner  |   Jul 3 2007   7:05AM GMT

I’m not 100% certain about how this might affect Linux, but everything I’ve been told so far indicates that this is primarily a problem for Windows users running either Internet Explorer or Firefox.

chris jarrett  |   Jul 4 2007   2:42PM GMT

Because it is a javascript exploit using the NoScript plugin for Firefox will prevent infection unless you click the link. It will also cut down on lagging background scripting while making Firefox all that more secure.

Storm malware posing as fake security warnings — Security Bytes  |   Jul 9 2007   8:47AM GMT

[...] The Storm malware is using yet another trick in its endless push for world domination. Two weeks ago Storm passed itself off as a greeting card from family members to trick people into clicking on malicious URLs in their email inbox. Last week it tried to use patriotic messages to dupe people into getting infected. [...]

Stan  |   Jul 10 2007   8:45AM GMT

Here is another variant - this one directs you to 76.111.xxx.xx

From :  <a href="mailto:jtb@stpaul.com" title="mailto:jtb@stpaul.com">jtb at stpaul.com</a>
Subject : Spyware Alert!

Dear Customer,

Our robot has detected an abnormal activity from your IP adress on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked.

Abuse Team Robot

Frank  |   Jul 27 2007   10:56AM GMT

Found this, found a way to remove it. Here is goes.

1. Disable System Restore

2. Boot into safe mode (possibly didn’t try doing it without)

3. Once in safe mode go to device manager (in system properties)

4. Click view and ‘Show Hidden Devices’

5. Find the device under ‘non plug and play devices’ that looks suspicious, i’ve seen variants that start Windev - fourrandom characters - fourrandomcharacters, and some that start vdo - somethings - something

6. Uninstall this device

7. Browse to your C:\windows\system32 directory and find the file name that corresponds to the device that was shown in device manager and delete it

8. Search the registry for that same string, and delete all references, there hsould be one in current config, and somewhere else I believe,

THis process worked for me, hopefully it will work for other people

psiborg999  |   Aug 1 2007   11:45PM GMT

This is really just a Microsoft exploit.
I use Linux ONLY and my antivirus (KLAMAV) fount it on-the-fly and quarantined it. No intervention was necessary. Info as follows:

EXPLOIT: Trojan.Small-3263

The payload file “ecard.exe” was sent in two different emails, both arriving within seconds of each other, from:
 <a href="http://dgreetings.com" title="http://dgreetings.
" target="_blank">dgreetings.com</a> and <a href="http://riversongs.com" title="http://riversongs. " target="_blank">riversongs.com</a>

Set blocking filters accordingly.

Windows People!
Just don’t open the attachment!

*.exe’s DON’T belong in emails!

Justin White  |   Aug 13 2007   10:38AM GMT

RE: *.exe’s DON’T belong in emails! and Windows People!
Just don’t open the attachment!
The exploit points them to a website via a link in the e-mail or the user must manually paste the url into a web browser. Their are no attachments or .exe’s involved. Am I wrong??

Apple User  |   Aug 13 2007   8:32PM GMT

And yet, all you IDIOTS just keep using Windoze! When will you wise up and join the masses already making a huge exodus to Macs?

You bring it on yourselve… really.

Have fun!