Storm Worm

worm

Have you noticed the recent flood of e-mail messages that try to get you to click on a link to open an e-card, see a YouTube video, or redeem membership benefits? These hoax messages direct victims to a site and prompt them to install an "applet." This applet is the Storm Worm virus, and the infection is spreading quickly.

Storm Worm's name is actually misleading; this malicious program is a "bot", not a "worm." Computer worms spread automatically, but Storm Worm is spread intentionally by an online criminal group. Since the bot deliberately misleads you in order to gain access to your system, it is sometimes referred to as a Trojan Horse. Storm Worm succeeds by tricking you into clicking links, opening attachments, or downloading applets.

How can I verify my computer is infected?

UCSD's Network Security team compiles and monitors a list of IP addresses of computers on the Internet known to be infected with Storm Worm. This list is being compared with the logs of computers that have been visiting one of several UCSD sites, such as Tritonlink. If you get redirected to a "Storm Worm Alert" page when you try to visit Tritonlink (or any other UCSD sites using Single Sign On authentication), the IP that your computer is associated with is on our list of Storm Worm infected machines.

However, if you get redirected to a "Storm Worm Alert" page and you are at home with multiple computers connected oline, the computer you use may not actually be infected. Home computers are typically behind a router. When you connect from a shared network connection such as this, all computers behind the router will appear to have the same public IP address. If you have been redirected here when you try to access Tritonlink, there is at least one infected computer on your shared network. The only way to find out which computers are infected is to run an antivirus program on all of your home computers.

Antivirus programs are currently unable to completely identify the Storm Worm virus/bot, but will identify parts of it. If your antivirus program finds anything from this following list on your computer, you have been infected by Storm Worm and you must address the problem immediately:

  • Agent
  • Crypt.XPACK
  • Dorf
  • Downloader-BAI
  • Dropper.gen6
  • Fathom
  • Fuclip
  • Groan
  • Killer.Ecard
  • Nuwar
  • Packed.13
  • Packed.142
  • Packed.145
  • Peacoan
  • Peacomm
  • Peed
  • Rootkit.47744
  • Rootkit.dam
  • Sintun
  • Small
  • Sploder
  • Stormworm
  • Tibs
  • Trojan.Spambot
  • TR/Patched
  • Win32.Spamtool
  • Zhelatin

What do I do if my computer has Storm Worm?

Students can get a limited amount of free help with removing Storm Worm through the ACS Help Desk (for any student) or ResNet (for students who live on campus). Please keep in mind that support may be delayed due to the heavy demand typical for the beginning of Fall quarter, in addition to the high number of infected computers. For this reason, we highly recommend cleaning your computer *before* you come to campus. Any infected computers connecting to the campus network will be blocked immediately.

There are two options for securing your computer if it is infected with Storm Worm:

  • Remove the virus. There are three ways to do this:
    1. Some variations will be detected and removed by the latest Microsoft Windows Update. Run Windows Update and install the latest patches, or specifically, download and install the September Microsoft Windows Software Removal Tool at the Microsoft Download Center. More information can be found on Microsoft's Knowledgebase Article 890830.
    2. Some antivirus software with updated virus definition files may be able to detect and remove parts of the Storm Worm viruses.
    3. If the first two methods fail to remove the virus, you can contact ResNet to have a technician help you remove it. Whether you bring in your machine to our Helpdesk or you schedule an appointment to have a technician come to your location, Storm Worm removal typically takes up to 30 minutes. Newer variations will require someone trained in removing the Storm Worm virus.
  • Reformat your computer. This involves wiping all your data off of the hard drive and reinstalling your operating system. We strongly recommended you enlist the help of a computer specialist if you feel you will not be comfortable following step-by-step instructions. Some large computer chain stores provide this kind of service (CompUSA's "Techknowledgists" and Best Buy's "Geek Squad").

For step-by-step instructions for reformatting your computer, visit our Reinstalling Microsoft Windows tutorial.

How Bots Work

Hackers who write bot-type viruses have one goal in mind: infect as many machines as possible and preserve the network of zombie (virus-infected) computers. This network of infected machines is called a botnet. Once a machine is infected with a bot, the virus sits quietly in the background and waits for a command from the hacker. For this reason many people are not aware that their computer has been infected with a bot.

The infection cycle looks like this:

  1. Virus author sends out email spam containing viruses, or uses some other method of social engineering to trick people into installing the virus on their computer.
  2. Infected computers log into an IRC server or other communications medium to form a network of infected systems. This is known as a botnet.
  3. The author uses the botnet to send out more spam using the infected computers.
  4. Users infect their computers by clicking on links in spam, and the process starts again.
  5. At any time, a spammer may purchase access to this botnet from the author to send spam, or a cybercriminal may do this and use the infected machines to attack critical network resources, such as a company server or a website.

Frequently Asked Questions

Q: What is Storm Worm?
A: A fast-spreading bot/virus that participates in a network of infected computers and allows a hacker to control your computer. More information.
Q: What can I do if I suspect I have Storm Worm?
A: Disconnect your machine from the network immediately. This will keep your computer from infecting other computers and from sending out spam. Bring your computer to our Front Desk so we can assist you in removing Storm Worm. If you need to get online, you should use someone else's computer or you can log into a computer in an ACS lab. You may also clean your computer by reformatting.
Q: How did my computer get infected?
A: Someone using your computer clicked on a link in a spam message, forwarding them to a website where they downloaded an "applet." This installed a program on your machine that allows it to be controlled by the owner of the botnet.
Q: How was my computer identified as being infected?
A: UCSD has a list of IP addresses known to be hosting a Storm Worm infected computer. We have been comparing this list of IP addresses to a list of IP addresses that have been visiting one of several UCSD sites, such as Tritonlink.
Q: Is there any chance that it is NOT my computer?
A: If you are the only one using the IP address, your machine is definitely infected. If you are on a network connection that goes through a router (as is the case for most home networks) that shares a public IP address, there is at least one infected computer on your shared network.
Q: If I am on a shared network, how can I verify whether it is my computer or not?
A: Install and run an antivirus program on all of the machines in your home or your shared network. If the antivirus software finds any of the Storm Worm names in the section above, that computer is infected with Storm Worm. There could be more than one computer in your shared network that is infected.
Q: Can't I just run antivirus software to remove Storm Worm?
A: Sometimes. Click here for more information.
Q: Why is computer security so important?
A: Malicious computer hackers, data-destroying viruses, and email spam are all threats. Without keeping yourself properly protected, hackers can gain access to sensitive information stored on your computer, such as credit card numbers and Social Security numbers. You could lose all your data or have it altered so much it becomes unusable. A hacked computer poses a serious threat to the network and can infect other machines. If you place an infected computer on the UC San Diego computer network, you may be responsible for damage to other systems.
Q: But how often does it actually happen?
A: In the summer of 2007, SecureWorks, an Internet security provider, detected 1.7 million unique hosts infected by Storm Worm in the last couple of months. Compare that to just 2,817 Storm Worm infections in the five months before June!
Q: What does it mean if my machine has been 'hacked' into?
A: It means someone has accessed your computer, usually remotely, without your permission or knowledge. If your computer is hacked into, any private information you have may be shared or stolen through the network connection. The hacker can also use your computer as a base for illegal activites (leaving you responsible).
Q: How can I keep Storm Worm off my computer?
A: Never open an attachment or click on a link from an unknown or unexpected source. (The success of Storm Worm and other malware relies on the ability to trick you into clicking on links and installing programs). Always have a current, updated antivirus program running, use your firewall, and set your computer to install Windows updates automatically. Visit our security page for more information.
Q: What's the worst thing I can do if I do have a virus?
A: Ignore it. Ignoring the problem will not make it go away. It will help spread the virus to others, usually your friends and family.