'Storm Worm' Continues Quick Spread
The so-called 'Storm Worm' continues to spread, with several waves of attacks reported over the weekend. The virus writers have even included a way to update the Trojan, security firms say, in an effort to evade antivirus software.
Reports of the worm began surfacing on Friday in Europe, as unsuspecting Web users were tricked into downloading an executable file. The e-mail claimed to have breaking news on the stormy weather conditions that have rocked the region over the past week.
Subsequent waves added new subjects, claiming to have information on Cuban dictator Fidel Castro's death and news on possible Chinese missile tests. In each e-mail a different Trojan was used, and all were updatable.
F-Secure says in the latest wave, sent out Monday, the worm has changed its spots yet again. Subjects now tend to cover love-related subjects, it said. The firm recommended that IT administrators filter .exe files in the e-mail gateway immediately to help stop the spread of the worm.
Although an exact number off affected computers has not been provided, F-Secure says as many as several hundred thousand computers could have been affected. The Trojan installs a rootkit, which allows the attackers to use the computer as part of a botnet.
Further frustrating anti-malware researchers is the fact that the botnet created by this worm is more like a P2P network, which would make it harder to take down. Previously, most botnets had a centralized server, which when taken down would disable the rest of the network.
Researchers say for this reason it is hard to gauge the extent of the attack. However, at one point on Friday, 1 in 200 e-mails were infected, security firm Sophos said.