No Stopping Storm Variants

By Matthew Hines  |  Posted 2008-07-21 Print this article Print

After the emergence of the Trojan.JS.Encrypted.A attack last week -- yet another in a long line of variants built off of the long-running Storm Worm code base -- more activity has been reported along the same lines.

In a blog posted on the Malware City information portal, which is backed by anti-virus vendor BitDefender, researcher Andrei Bereczki published details of another interesting new twist on Storm, dubbed Trojan.Downloader.Gadja.

Bereczki said the threat, first discovered in June 2008, has already seen three major updates in the last 40-odd days, and is currently being distributed as a spam-borne attachment.

After initial infection, the Gadja downloader copies a Windows device's userinit.exe executable file, then disables system protections and overwrites the original userinit.exe file with itself in order to execute at system startup.

"In order for Windows to start normally Trojan.Downloader.Gadja.C also starts userini.exe, the original copy of userinit.exe," Bereczki wrote. "After it deletes the file it has been originally executed from, the malware drops another file detected as Trojan.Downloader.Gadja.D. It also starts a new instance of svchost.exe and injects its code to bypass firewalls. Then it downloads additional malware like Trojan.Peed.JOP from certain sources."

The researcher also highlighted the continued persistence of the Peed Trojan via an online delivery model using a fake flash multimedia player, dubbed Trojan.Downloader.HTML.FM.

Using Independence Day-themed spam (in a time-honored Storm Worm tradition of tapping into holiday cheer) to lure users to a site offering the fake multimedia program, the Peed Trojan itself or another downloader quietly attempts to install Storm Worm code on a to-be-victimized computer.

When opened, the involved Web page also tries to level a drive-by at users by automatically attempting to run and install a remote access JavaScript program with several layers of encrypted data including Trojan.JS.Encrypted.A.

And on top of that, when someone clicks on the fake multimedia player, which offers video of a July Fourth fireworks display, the browser automatically downloads and installs a program identified as Fireworks.exe, which delivers another version of the Peed Trojan.

Once installed, this version of the Trojan copies itself into an affected machine's OS folder and modifies the Windows Firewall settings. It also registers the compromised computer as a peer in its malware network and uses a randomly chosen port to communicate with the other peers and update its peers' list, Berecki noted.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel