www.broadbandreports.com
  
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsJobsNewsFAQsForumsToolsMapsAbout 
   AllHot TopicsCable SupportTelco SupportHardware etcSecurityClubsGallery»»






how-to block ads


 
Forums » Up and Running » Security » Security » No April Fools'--Storm worm is back; don't click on links
 
Search Topic:
  Social:
topic feed
 
Posting
toggle:
flat / full
normal / watch
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Microsoft warns of new attack on Word »
« IFrame attacks spread to prime sites  
AuthorAll Replies


TK Junk Mail
Golf season has returned - hurrah
Premium
join:2002-03-03
Margate City, NJ
·Comcast

 No April Fools'--Storm worm is back; don't click on links

»www.news.com/8301-10789_3-990688···1_3-0-20
Don't click on that silly April Fools' Day e-mail, says one security expert.

In a blog, Arbor Networks' Jose Nazario reports that within the last 24 hours he's seeing new releases of the Storm worm designed to take advantage of the first day of April. This new spam campaign is a lure to infect new computers that will become part of the larger Storm worm botnet.

The e-mail body is spartan: the words "Doh! April Fools" followed by a numeric URL. If a user clicks on that URL, the default Internet browser will open to a page with a cartoon character. A download is supposed to start within five seconds and, according to the message, "If your download does not start, click here and then press 'Run.'"

The compromised computer will then install the downloaded file as C:\WINDOWS\aromis.exe. Nazario reports that the botnet file opens the firewall using the netsh firewall set command, makes a lot of outbound connections, then listens on a random UDP port.
Forewarned is forearmed. Avoid the temptation to click on the links in those April Fools Day emails. Even if they look like they came from someone you know.
--
My BLOG .. .. Internet News .. .. My Web Page
to forum · permalink · · 2008-03-31 17:49:35 · Reply to this

kpatz
Premium
join:2003-06-13
Manchester, NH		 Guess they're looking for "fools" to join their botnet.

Some of the URLs don't have a trailing slash so if your filter expects this, update your filter...
to forum · permalink · · 2008-03-31 20:31:44 · Reply to this


Killer Maxx

@rr.com		 reply to TK Junk Mail
For those of us running e-mail servers, here is another variation to add to the filters.

Subject - Happy April Fool's Day.

Body - Gotcha! »92.xxx.86.xx
to forum · permalink · 2008-04-01 11:17:02 · Reply to this

kpatz
Premium
join:2003-06-13
Manchester, NH

reply to TK Junk Mail
I just block anything that has an IP address URL in it. Sticks these stupid spams where they belong.

This regex pattern does the trick.


--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.
to forum · permalink · · 2008-04-01 12:46:45 · Reply to this
Forums » Up and Running » Security » SecurityMicrosoft warns of new attack on Word »
« IFrame attacks spread to prime sites  

Most commented news this week
· [154] Comcast Van Race Injures 3-Year-Old
· [100] EA Scales Back 'Internet Required' DRM
· [82] Sprint Hemorrhaging Wireless Subscribers
· [74] ISPs To Start Booting More P2P Users
· [74] Mozilla Considering Opt-In Browsing Tracking
· [70] Canadian Regulators Deny Relief For Bell Canada Traffic Shaping
· [58] Baby Bell Neglect of Vanilla DSL Could Spell Trouble
· [53] Missouri University Makes Kids Take Copyright Quiz To Use P2P
· [52] An Inside Look At RIAA DMCA Letter Generation
· [48] Verizon: Stop Yer Broadband Bellyachin'
Saturday, 17-May
17:55:49 		Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
8th year online! © 1999-2008 dslreports.com.
page compression OFF