republican-creole
Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsJob BoardISP NewsFAQsForumsToolsMapsAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » No April Fools'--Storm worm is back; don't click on links
 
Search Topic:
  Share Topic:
RSS topic:
 
Posting
toggle:
flat / full
normal / watch
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Microsoft warns of new attack on Word »
« IFrame attacks spread to prime sites  
AuthorAll Replies


TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
·Comcast

 No April Fools'--Storm worm is back; don't click on links

»www.news.com/8301-10789_3-990688···1_3-0-20
Don't click on that silly April Fools' Day e-mail, says one security expert.

In a blog, Arbor Networks' Jose Nazario reports that within the last 24 hours he's seeing new releases of the Storm worm designed to take advantage of the first day of April. This new spam campaign is a lure to infect new computers that will become part of the larger Storm worm botnet.

The e-mail body is spartan: the words "Doh! April Fools" followed by a numeric URL. If a user clicks on that URL, the default Internet browser will open to a page with a cartoon character. A download is supposed to start within five seconds and, according to the message, "If your download does not start, click here and then press 'Run.'"

The compromised computer will then install the downloaded file as C:\WINDOWS\aromis.exe. Nazario reports that the botnet file opens the firewall using the netsh firewall set command, makes a lot of outbound connections, then listens on a random UDP port.
Forewarned is forearmed. Avoid the temptation to click on the links in those April Fools Day emails. Even if they look like they came from someone you know.
--
My BLOG .. .. Internet News .. .. My Web Page
to forum · permalink · · 2008-03-31 17:49:35 · Reply to this

kpatz
Premium
join:2003-06-13
Manchester, NH		 Guess they're looking for "fools" to join their botnet.

Some of the URLs don't have a trailing slash so if your filter expects this, update your filter...
to forum · permalink · · 2008-03-31 20:31:44 · Reply to this


Killer Maxx

@rr.com		 reply to TK Junk Mail
For those of us running e-mail servers, here is another variation to add to the filters.

Subject - Happy April Fool's Day.

Body - Gotcha! »92.xxx.86.xx
to forum · permalink · 2008-04-01 11:17:02 · Reply to this

kpatz
Premium
join:2003-06-13
Manchester, NH

reply to TK Junk Mail
I just block anything that has an IP address URL in it. Sticks these stupid spams where they belong.

This regex pattern does the trick.


--
Windows Vista has detected that your mouse was moved. In order to enhance your user experience, Vista needs to contact Microsoft to re-activate the software. Please make sure you are connected to the Internet, have your credit card handy, then click OK.
to forum · permalink · · 2008-04-01 12:46:45 · Reply to this
Forums » Up and Running » Security » SecurityMicrosoft warns of new attack on Word »
« IFrame attacks spread to prime sites  

Most commented news this week
· [173] East Coast Verizon Workers Authorize Strike
· [166] Is AT&T Hinting At Usage-Based Pricing This Fall?
· [149] Time Warner Cable Using Fine Print To Foist Caps On Customers
· [125] Is Broadband A Civil Right?
· [111] The Great Landline Exodus Continues
· [97] Update Your Browser, Dummy
· [82] What's Your Favorite Newsgroup Provider?
· [78] Comcast Hit With Another Throttling Lawsuit
· [73] Google's Cerf: Baby Bells Act Like Tots Having Tantrums
· [71] NY AG Will Sue Comcast If They Don't Pretend To Fight Child Porn
Friday, 25-Jul
22:11:18 		Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
8th year online! © 1999-2008 dslreports.com.
page compression OFF