Storm Worm

OK, actually it is not a worm (always) and only the press calls it storm worm. Everyone else calls it by one of several other names. ESET calls it “Win32/Fuclip.A Trojan”, “Win32/Fuclip.D Trojan”, “Win32/Nuwar.S worm” or some times “Win32/Nuwar.T worm”. Symantec calls it “Trojan.Peacomm”. McAfee calls it “Downloader-BAI.gen Trojan”. Confusing? Well, it isn’t actually just one piece of malicious software, the author is constantly modifying it to try to beat the AV companies. Additionally, once a user gets infected the program then downloads other programs.

 

So what is not confusing about it? Here is the easy part. The only people who get infected by it are the people who run suspicious attachments. That’s right, if you don’t click on the attachment you do not get infected. If you are running Outlook 2000 or newer you do not get infected because Outlook will not let you get to the executable attachment. If you are running a recent version of Outlook Express and have not changed the default settings you cannot get to the attachment either. If you are using a mail client that lets you open attachments, don’t open any attachments unless you are expecting them, know the name of the attachment before you receive it, and know who is sending it to you.

 

As you can see from Virus Radar, NOD32 is detecting a lot of these files. As of this writing
http://www.virus-radar.com/stat_01_current/index_enu.html shows Win32/Nuwar.T worm topping the charts, with Win32/Nuwar.S worm in fifth place. A look at the week
http://www.virus-radar.com/stat_01_current/index_c168h_enu.html shows Fuclip.B in first place with Nuwar.T and Nuwar.S in fourth and sixth places respectively. For the month
http://www.virus-radar.com/stat_01_current/index_c31d_enu.html Fuclip.B is in first place, Nuwar.M is second, and a couple of other Nuwar variants are in eighth and ninth.

 

I expect we’ll see many more variants of this malware. If you are using NOD32 we are keeping your computer protected, but still don’t open any attachments from people you don’t know, and don’t open any attachments that you are not expecting, even from people you do know. Ask the sender if they meant to send an attachment before you open it, even if it looks like it was sent by a friend.

 

Randy Abrams
Director of Technical Education

Author ESET Research, ESET

  • http://anti-virus-rants.blogspot.com/ kurt wismer

    “only the press calls it storm worm.”

    actually, f-secure is calling it storm worm on their blog – perhaps they have the press’ ear…

  • Randy Abrams

    OK, none of the vendors are detecting the malware as W32/Storm :)

    Cheers,

    Randy

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

1 article related to:
Hot Topic
22 Jan 2007
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.