Tuesday, April 1, 2008

New Storm, Old Song

The new Storm (the “April Fool’s” one), also known as a CME-711/Peacomm/Nuwar/Zhelatin/Tibs, uses a cheap trick of dropping and loading a DLL named testdll_f.dll, where now all Storm’s functionality resides.

Interestingly enough, ThreatExpert Memory Scanner detected and reported the new Storm with the stone-age memory signatures, as shown below:

ThreatExpert Automation was tweaked to report the new Storm in a more efficient way.

Now, the details of the peer-to-peer botnet used by this threat are enlisted, alone with the file extensions it considers for harvesting email addresses and the email addresses it avoids touching.

For more information, please review the latest ThreatExpert report.