F-SECURE PRESS RELEASE: "Storm Worm" Launched on the Internet on the tail of European Storm
For release January 19, 2006
"Storm Worm" Launched on the Internet on the tail of European Storm
Helsinki, Finland - January 19, 2007
A significant network attack was launched globally in the early hours of
Thursday morning (GMT) using news of a European storm as the hook to lure the
unsuspecting. The message, which was created and launched literally as the
storm raged, is exploiting a timely widescale media event as the key
mechanism for delivering its payload.
The Trojan was distributed in messages with subject line of "230 dead as
storm batters Europe". The payload in this case was the Small.DAM Trojan that
was downloaded into all vulnerable machines upon opening of the spam mail's
attachment such as "Read More.exe". Once inside the machine, the Trojan
creates a backdoor that can be exploited later by the malware authors behind
As has been seen with other attacks, the likely intention is to create a new
raft of zombie computers to steal information and to further propagate
large-scale spam and phishing runs.
In addition to the headline "230 dead as storm batters Europe" the spam uses
a number of other provocative headlines. Attachments may be of the following
filenames: "Full Clip.exe"; "Full Story.exe"; "Read More.exe" and
The assault was first picked up by F-Secure Security Labs Kuala Lumpur during
the very early hours of Friday European time. The timing of the assault and
its detection in Asia leads researchers to believe that the assault also
originated in the region.
Speaking about the case, Mikko Hypponen, Chief Research Officer at F-Secure
said: "Trojan assaults of this scale are an unfortunate and increasingly
common event. What is significant here though is the timely nature of this
assault in relation to the European storm. Malware gangs are clearly using
every technique and even tragedies like these to gain access to vulnerable
F-Secure's security products detect and block Small.DAM.
This is a Low-Profiled Threat Notice for Downloader-BAI
Downloader-BAI has been deemed Low-Profiled due to prevalence of submissions.
Read About It
Information about Downloader-BAI is located on VIL at: http://vil.nai.com/vil/content/v_141316.htm
Downloader-BAI was first discovered on January 19, 2007 and detection will be added to the 4943 dat files (Release Date: January 19, 2007).
Though we consider this a low threat, An EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page: <https://www.webimmune.net/extra/getextra.aspx>
If you suspect you have Downloader-BAI, please submit a sample to <http://www.webimmune.net>