This is cache of http://feeds.feedburner.com/~r/DanchoDanchevOnSecurityAndNewMedia/~3/217398938/storm-worms-st-valentine-campaign.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Storm Worm's St. Valentine Campaign
2008-01-15 21:01:01 by HASH0x8b48dc8 in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge
 
The Riders on the Storm Worm started riding on yet another short term window of opportunity as always - St. Valentine's day with a mass mailing email campaign linking to two files with_love.exe and withlove.exe, using an already infected host as a propagation vector itself in the very same fashion they've been doing so far.

Detection rate : 3/32 (9.38%)
File size: 114689 bytes
MD5: 31ac9582674cad4c8c8068efb173d7c7
SHA1: cee93d3021318a34e188b8fae812aa929cb2bc9c

NOD32v2 - a variant of Win32/Nuwar
Prevx1 - Stormy:All Strains-All Variants
Webwasher-Gateway - Win32.Malware.gen!88 (suspicious)

The binary drops burito.ini (MD5 - A65FA0C23B1078B0758B80B5C0FD37F3) and burito1205-67d5.sys (MD5 - C4B9DD12714666C0707F5A6E39156C11), and creates the following registry entries :

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO1205-67D5 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_BURITO1205-67D5\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito1205-67d5 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\burito1205-67d5\Security

Surprisingly, there are no client-side vulnerabilities used in last two campaigns.
 
Tags: hkey local, burito1205-67d5 hkey local, burito1205-67d5, storm worm, binary drops burito, short term window, md5, propagation vector, email campaign
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia