MA-124.022008: MyCERT Advisory - Latest Storm Worm Original Issue Date: 1st February 2008
Last revised:
Source: MyCERT 1.0 Introduction MyCERT has been observing since this week the mass circulation of malicious spam emails which contain romantic or Valentine's Day greetings. The emails are short and to the point, containing a brief message, followed by a URL. Should the user click on the URL, they will be directed to a site that looks like this: 
Our analysis have shown that that once clicked on the link attached in the email, using a normal browser such as Internet Explorer, Mozilla Firefox or Safari, the index.html page will automatically prompt user to download malicious files which are withlove.exe and with_love.exe. The embedded image above, Hearts.jpg, is also linked to both or either one of the files, in which once clicked, will prompt user to download the above malicious file/s. Once downloaded the malicious file/s, the malware will install itself as a rootkit on potential victim.s machine. Based on assessment of number of reports received, we believe there is a wide circulation of the malicious spam emails in our constituency and MyCERT advises users and organizations to update their anti-virus softwares with latest signature file and patch their systems and take the prevention actions as provided below to prevent against the current and future malicious code infection. 2.0 Systems Affected Windows 2000 Windows XP Windows 2003 Windows ME Windows NT Windows 95 Windows 98
3.0 Payload Send mass spam emails to potential victims. Provide unauthorized access to infected machines via backdoor and kernel-level rootkit. Has keylogging functionality. Updates the command using P2P network (botnet).
4.0 Subject of Email The subject lines of the spam emails include the followings: The messages contained in the mail has simple messages such as the followings: Words in My Heart
http://74.204.159.42/
Kisses Through Email
http://91.122.126.113/
Why I Love You
http://79.114.85.18/
Falling In Love With You
http://60.1.152.187
5.0 Technical Description Upon clicking on the links provided by the email, the victim will be redirected to the link. The example below is the sample of how the page index.html look like: 
Figure 1: The Source Code of malicious Index.html If the victim is using normal web browser like firefox, Internet explorer and safari, the index.html page will automatically will ask the victim to download a file called withlove.exe and with_love.exe. Based on the Figure 1, there is no sign of an iframe or a link to download the files. The attacker has created an unescape character on the page to avoid being easily detected by victim. The decoded characters clearly shows links to the files. Here are the sample of decoding unescape characters: unescape(%3C%61%20%68%72%65%66%3D%22%77%69%74%68%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A' ) = unescape('%3C%61%20%68%72%65%66%3D%22%77%69%74%68%5F%6C%6F%76%65%2E%65%78%65%22%3E%0D%0A')= Example 1: Decoding unescape characters from index.html If we reconstruct the portion of index.html, it will look something like Example 2: 
Example 2: reconstruct the portion of index.html Base on knowledge on HTML language, it is easy to spot what the attacker try to do. The attacker creates a link on embedded image called Hearts.jpg. Once the victim clicks on image, it will ask the victim to download a file called withlove.exe, which is a malicious file. Once the victim click on the file downloaded, the malware will install itself as a stealthy rootkit. MyCERT managed to download the malicious files and run it against the ClamAV antivirus. Result 2 showed the result from ClamAV. Other commercial products detected the files as a variant of Zhelatin or Storm Worm. with_love.exe: Trojan.Peed-89 FOUND
withlove.exe: Trojan.Peed-89 FOUND
----------- SCAN SUMMARY -----------
File withlove.exe received on 01.17.2008 02:50:13 (CET)
Current status: finished
Result: 18/32 (56.25%)
Compact Compact
Print results Print results Antivirus Version Last Update Result AhnLab-V3 - - -
AntiVir - - Worm/Zhelatin.AN.2
Authentium - - -
Avast - - -
AVG - - I-Worm/Nuwar.L
BitDefender - - Trojan.Peed.ITB
CAT-QuickHeal - - -
ClamAV - - Trojan.Peed-89
DrWeb - - Trojan.MulDrop.10030
eSafe - - -
eTrust-Vet - - Win32/Sintun.BB
Ewido - - -
FileAdvisor - - -
Fortinet - - -
F-Prot - - W32/StormWorm.AB
F-Secure - - Email-Worm.Win32.Zhelatin.sd
Ikarus - - Trojan.Peed.ITB
Kaspersky - - Email-Worm.Win32.Zhelatin.sd
McAfee - - W32/Nuwar@MM
Microsoft - - TrojanDropper:Win32/Nuwar.gen!A
NOD32v2 - - a variant of Win32/Nuwar
Norman - - -
Panda - - -
Prevx1 - - Stormy:All Strains-All Variants
Rising - - -
Sophos - - Mal/Dorf-I
Sunbelt - - -
Symantec - - Trojan.Peacomm.D
TheHacker - - -
VBA32 - - -
VirusBuster - - Trojan.DR.Zhelatin.AX.Gen
Webwasher-Gateway - Worm.Zhelatin.AN.2 Additional information
MD5: d22075dfee38df28a0665dcdf480c469
SHA1: 00733967114a6ce2dc31e628fdf914f7ded08e53
SHA256: 5ccd852ecddbdb2c9972e59a55fce80b4bd14c8a0a96aa23aa102cd669d91d97
SHA512: 05c1095770740ec7da8b84637d3aff610f3a4b5207b732a6d381d7
909e7d23cc ba61e19978c2444f05eb68489d71b1b96c0b926e2ba309ba892b11a814893918 Result 1: Reconstruct the portion of index.html The malware functionality is quite extensive, which is a mass mailer, backdoor, kernel level rootkit access and also key logging function. The malware also update the command among them by using p2p network (botnet). So far, the IP addresses that have been observed are connecting with this malware are attached on appendix A. The malware will create two files called C:\WINDOWS\system32\burito.ini and C:\WINDOWS\system32\burito1205-67d5.sys. The content of burrito.ini is the list of peers for p2p connection. Meanwhile, on burito1205-67d5.sys is a malware itself. 6.0 Detection Scan the infected computer with an updated Anti-virus softwares to detect the presence of the worm on infected machine. 7.0 Removal 7.1 Disconnect your computer from the network and disable file sharings, if any. 7.2 Disable System Restore (for Windows XP/Windows Me only). For Windows XP: Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Select "Turn off System Restore" or "Turn off System Restore on all drives" check box.
For Windows Me: Click Start, point to Settings, and then click Control Panel. Double-click the System icon. The System Properties dialog box appears. Click the Performance tab, and then click File System. The File System Properties dialog box appears. Click the Troubleshooting tab, and then check Disable System Restore. Click OK. Click Yes, when you are prompted to restart Windows.
7.3 Start your machine in Safe mode. How to start a computer in safe mode, pls refer to:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam 7.4 Update your Anti-virus software with the latest signature files and scan your computer with the Anti-virus to detect the worm and delete any files detected as the worm by clicking the DELETE button. 7.5 Search and delete the below file: with_love.exe
buritoXXX.sys 7.6 Delete registry values added by the virus. Delete the following entries: You need to back up the registry before making any changes to it. In correct changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. How to make a backup of the Windows registry, pls refer at:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/199762382617?OpenDocument&src=sec_doc_nam To delete the entrie, pls refer below: Click Start > Run
Type regedit
Click OK HKEY_CURRENT_USER\Microsoft\Windows\CurrentVersion\Run\"noskrnl" ="%Windir%\noskrnl.exe" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\noskrnl 7.7 Run a full system scan using an updated version of Anti-virus software and delete any files detected as worm. 7.8 Enable the System Restore (for Windows XP/Windows Me only). 7.9 Re-scan your computer with an updated version of Anti-virus to confirm the computer is clean. 8.0 Re-connect your computer to the network once confirmed clean. NOTE: As your computer is disconnected from the network, use a clean computer connected to the network to download tools and references.
8.0 Mitigation Steps MyCERT urges users and administrators to take the following preventative measures to mitigate the security risks: 8.1 Install the latest computer updates/patches. 8.2 Enable and use up-to-date antivirus software. 8.3 Enable a personal firewall on your computer. 8.4 Practise safe email practices. You may refer at:
http://www.mycert.org.my/en/resources/email/email_practices/main/detail/512/index.html 8.5 System Administrators are advised to block executable and unknown file types at the email gateway.
9.0 Reference 9.1 Symantec
http://www.symantec.com/enterprise/security_response/weblog/2008/01/storm_worm_dont_miss_the_boat.html 9.2 Sophos
http://www.sophos.com/security/blog/2008/01/991.html?_log_from=rss 9.3 FIRST
http://www.first.org/newsroom/globalsecurity/197791.html
Feedback can be directed to MyCERT. Produced in 2008 by MyCERT, CyberSecurity Malaysia,
an agency under the Ministry of Science, Technology and Innovation (MOSTI). Revision History: Initial Release: 1st February 2008
Last Updated: |
