Swatkat's rants

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 22 October 2007

Nuwar/Storm Worm update!

Posted on 10:49 by Unknown
The gang behind Storm Worm (a.k.a eCard worm) has once again changed their social engineering tactics and also file names. Now, we get a "Psycho Kitty Card" (whatever that means!) instead of plain old eCards:

When we click on the link, we are presented with a fake web page as usual. Along with this, it plays music too!

And in this iteration of Storm Worm, the drive-by-download is back. The PC will be infected with a variant of Tibs Rootkit just by visiting the page. No need to download or click on anything. Now rootkit files are named as noskrnl.exe, noskrnl.sys and noskrnl.config instead of spooldr.exe, spooldr.sys and spooldr.ini,which were prevalent in older versions. Here are some screenshots showing hidden process, SSDT hooks of the rootkit:


Detections for this Storm Worm variant are pretty good. However, to be on the safer side, delete any of the "Psycho Kitty Card" mails that you might have received!
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

Categories

  • a.exe
  • Autohotkey
  • C++
  • fake mp3 downloads
  • gop.exe
  • NewMediaCodec
  • OAuth
  • Orkut hating virus
  • Privacy Protector
  • rootkit
  • SysProt AntiRootkit
  • TDSServ rootkit removal
  • twitCurl
  • twitter
  • Udefender
  • Ultimate Cleaner
  • vdo_
  • Zlob
  • Zlob rootkit

Blog Archive

  • ►  2013 (1)
    • ►  June (1)
  • ►  2010 (6)
    • ►  October (2)
    • ►  September (2)
    • ►  July (1)
    • ►  April (1)
  • ►  2009 (12)
    • ►  September (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (4)
    • ►  January (5)
  • ►  2008 (44)
    • ►  December (6)
    • ►  November (6)
    • ►  October (4)
    • ►  September (15)
    • ►  August (2)
    • ►  June (2)
    • ►  May (1)
    • ►  April (1)
    • ►  March (6)
    • ►  January (1)
  • ▼  2007 (38)
    • ►  December (1)
    • ►  November (2)
    • ▼  October (9)
      • Nuwar/Storm Worm update!
      • www.pravingodkhindi.com hacked?!
      • More xvgaoke.cn!
      • Myphonegames.co.uk hacked?!
      • The netadv - fake toolbar from Zlob
      • SystemErrorFixer and fake system shutdown warning
      • Spot The Not!
      • Hacked Indian university site serving malware
      • Rogue application pretends as Microsoft Antispyware
    • ►  September (2)
    • ►  August (8)
    • ►  July (11)
    • ►  June (3)
    • ►  March (2)
  • ►  2006 (6)
    • ►  September (1)
    • ►  August (2)
    • ►  May (1)
    • ►  February (2)
  • ►  2005 (30)
    • ►  December (2)
    • ►  November (2)
    • ►  October (4)
    • ►  September (5)
    • ►  August (11)
    • ►  July (6)
Powered by Blogger.

About Me

Unknown
View my complete profile