F-SECURE PRESS RELEASE: "Storm Worm" Launched on the Internet on the tail of European Storm


For release January 19, 2006

"Storm Worm" Launched on the Internet on the tail of European Storm

Helsinki, Finland - January 19, 2007
A significant network attack was launched globally in the early hours of
Thursday morning (GMT) using news of a European storm as the hook to lure the
unsuspecting. The message, which was created and launched literally as the
storm raged, is exploiting a timely widescale media event as the key
mechanism for delivering its payload.

The Trojan was distributed in messages with subject line of "230 dead as
storm batters Europe". The payload in this case was the Small.DAM Trojan that
was downloaded into all vulnerable machines upon opening of the spam mail's
attachment such as "Read More.exe". Once inside the machine, the Trojan
creates a backdoor that can be exploited later by the malware authors behind
the assault.

As has been seen with other attacks, the likely intention is to create a new
raft of zombie computers to steal information and to further propagate
large-scale spam and phishing runs.

In addition to the headline "230 dead as storm batters Europe" the spam uses
a number of other provocative headlines. Attachments may be of the following
filenames: "Full Clip.exe"; "Full Story.exe"; "Read More.exe" and

The assault was first picked up by F-Secure Security Labs Kuala Lumpur during
the very early hours of Friday European time. The timing of the assault and
its detection in Asia leads researchers to believe that the assault also
originated in the region.

Speaking about the case, Mikko Hypponen, Chief Research Officer at F-Secure
said: "Trojan assaults of this scale are an unfortunate and increasingly
common event. What is significant here though is the timely nature of this
assault in relation to the European storm. Malware gangs are clearly using
every technique and even tragedies like these to gain access to vulnerable

F-Secure's security products detect and block Small.DAM.