Comments on: Web watchers warn of new Storm attack http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/ A SearchSecurity.com blog Fri, 27 Nov 2009 10:45:20 +0000 http://wordpress.org/?v=2.6.2 By: Apple User http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-361 Apple User Tue, 14 Aug 2007 00:32:42 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-361 And yet, all you IDIOTS just keep using Windoze! When will you wise up and join the masses already making a huge exodus to Macs? You bring it on yourselve... really. Have fun! And yet, all you IDIOTS just keep using Windoze! When will you wise up and join the masses already making a huge exodus to Macs?

You bring it on yourselve… really.

Have fun!

]]> By: Justin White http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-360 Justin White Mon, 13 Aug 2007 14:38:33 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-360 RE: *.exe’s DON’T belong in emails! and Windows People! Just don’t open the attachment! The exploit points them to a website via a link in the e-mail or the user must manually paste the url into a web browser. Their are no attachments or .exe's involved. Am I wrong?? RE: *.exe’s DON’T belong in emails! and Windows People!
Just don’t open the attachment!
The exploit points them to a website via a link in the e-mail or the user must manually paste the url into a web browser. Their are no attachments or .exe’s involved. Am I wrong??

]]> By: psiborg999 http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-359 psiborg999 Thu, 02 Aug 2007 03:45:22 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-359 This is really just a Microsoft exploit. I use Linux ONLY and my antivirus (KLAMAV) fount it on-the-fly and quarantined it. No intervention was necessary. Info as follows: EXPLOIT: Trojan.Small-3263 The payload file "ecard.exe" was sent in two different emails, both arriving within seconds of each other, from: dgreetings.com and riversongs.com Set blocking filters accordingly. Windows People! Just don't open the attachment! *.exe's DON'T belong in emails! This is really just a Microsoft exploit.
I use Linux ONLY and my antivirus (KLAMAV) fount it on-the-fly and quarantined it. No intervention was necessary. Info as follows:

EXPLOIT: Trojan.Small-3263

The payload file “ecard.exe” was sent in two different emails, both arriving within seconds of each other, from:
 <a href="http://dgreetings.com" title="http://dgreetings.
" target="_blank">dgreetings.com</a> and <a href="http://riversongs.com" title="http://riversongs. " target="_blank">riversongs.com</a>

Set blocking filters accordingly.

Windows People!
Just don’t open the attachment!

*.exe’s DON’T belong in emails!

]]> By: Frank http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-358 Frank Fri, 27 Jul 2007 14:56:35 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-358 Found this, found a way to remove it. Here is goes. 1. Disable System Restore 2. Boot into safe mode (possibly didn't try doing it without) 3. Once in safe mode go to device manager (in system properties) 4. Click view and 'Show Hidden Devices' 5. Find the device under 'non plug and play devices' that looks suspicious, i've seen variants that start Windev - fourrandom characters - fourrandomcharacters, and some that start vdo - somethings - something 6. Uninstall this device 7. Browse to your C:\windows\system32 directory and find the file name that corresponds to the device that was shown in device manager and delete it 8. Search the registry for that same string, and delete all references, there hsould be one in current config, and somewhere else I believe, THis process worked for me, hopefully it will work for other people Found this, found a way to remove it. Here is goes.

1. Disable System Restore

2. Boot into safe mode (possibly didn’t try doing it without)

3. Once in safe mode go to device manager (in system properties)

4. Click view and ‘Show Hidden Devices’

5. Find the device under ‘non plug and play devices’ that looks suspicious, i’ve seen variants that start Windev - fourrandom characters - fourrandomcharacters, and some that start vdo - somethings - something

6. Uninstall this device

7. Browse to your C:\windows\system32 directory and find the file name that corresponds to the device that was shown in device manager and delete it

8. Search the registry for that same string, and delete all references, there hsould be one in current config, and somewhere else I believe,

THis process worked for me, hopefully it will work for other people

]]> By: Stan http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-357 Stan Tue, 10 Jul 2007 12:45:39 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-357 Here is another variant - this one directs you to 76.111.xxx.xx From : jtb@stpaul.com Subject : Spyware Alert! Dear Customer, Our robot has detected an abnormal activity from your IP adress on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment. We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked. Abuse Team Robot Here is another variant - this one directs you to 76.111.xxx.xx

From :  <a href="mailto:jtb@stpaul.com" title="mailto:jtb@stpaul.com">jtb at stpaul.com</a>
Subject : Spyware Alert!

Dear Customer,

Our robot has detected an abnormal activity from your IP adress on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment.

We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked.

Abuse Team Robot

]]> By: Storm malware posing as fake security warnings — Security Bytes http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-356 Storm malware posing as fake security warnings — Security Bytes Mon, 09 Jul 2007 12:47:07 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-356 [...] The Storm malware is using yet another trick in its endless push for world domination. Two weeks ago Storm passed itself off as a greeting card from family members to trick people into clicking on malicious URLs in their email inbox. Last week it tried to use patriotic messages to dupe people into getting infected. [...] [...] The Storm malware is using yet another trick in its endless push for world domination. Two weeks ago Storm passed itself off as a greeting card from family members to trick people into clicking on malicious URLs in their email inbox. Last week it tried to use patriotic messages to dupe people into getting infected. [...]

]]> By: chris jarrett http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-355 chris jarrett Wed, 04 Jul 2007 18:42:02 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-355 Because it is a javascript exploit using the NoScript plugin for Firefox will prevent infection unless you click the link. It will also cut down on lagging background scripting while making Firefox all that more secure. Because it is a javascript exploit using the NoScript plugin for Firefox will prevent infection unless you click the link. It will also cut down on lagging background scripting while making Firefox all that more secure.

]]> By: Bill Brenner http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-354 Bill Brenner Tue, 03 Jul 2007 11:05:45 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-354 I'm not 100% certain about how this might affect Linux, but everything I've been told so far indicates that this is primarily a problem for Windows users running either Internet Explorer or Firefox. I’m not 100% certain about how this might affect Linux, but everything I’ve been told so far indicates that this is primarily a problem for Windows users running either Internet Explorer or Firefox.

]]> By: chris jarrett http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-353 chris jarrett Mon, 02 Jul 2007 22:04:56 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-353 Will this exploit affect Firefox or just internet explorer and what about the affect of it on Linux and other alternate operating systems? Will this exploit affect Firefox or just internet explorer and what about the affect of it on Linux and other alternate operating systems?

]]> By: Stan http://itknowledgeexchange.techtarget.com/security-bytes/web-watchers-warn-of-new-storm-attack/#comment-352 Stan Mon, 02 Jul 2007 20:10:19 +0000 http://security.blogs.techtarget.com/2007/06/29/web-watchers-warn-of-new-storm-attack/#comment-352 Here are two more IP's that are propagating this stuff. I got the domain names from http://www.arin.net/whois/ this one is from Amsterdam - ripe.net 82.39.44.93 this one is a USA Comcast address 24.3.223.219 I haven't followed the links just made a note of them. Here are two more IP’s that are propagating this stuff.

I got the domain names from  <a href="http://www.arin.net/whois/" title="http://www.arin.net/whois/" target="_blank">http://www.arin.net/whois/</a>

this one is from Amsterdam - <a href="http://ripe.net" title="http://ripe. " target="_blank">ripe.net</a>
82.39.44.93

this one is a USA Comcast address
24.3.223.219

I haven’t followed the links just made a note of them.

]]>