Reverse Engineering Storm Worm

The Storm Worm (dubbed so by the Finnish company F-Secure) is a backdoor / Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

  • Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)
  • CME-711 (MITRE)
  • W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee)
  • Troj/Dorf and Mal/Dorf (Sophos)
  • Trojan.DL.Tibs.Gen!Pac13[3]
  • Trojan.Downloader-647
  • Trojan.Peacomm (Symantec)
  • TROJ_SMALL.EDW (Trend Micro)
  • Win32/Nuwar (ESET)
  • Win32/Nuwar.N@MM!CME-711 (Windows Live OneCare)
  • W32/Zhelatin (F-Secure and Kaspersky)
  • Trojan.Peed, Trojan.Tibs (BitDefender)

The Storm Worm began attacking thousands of (mostly private) computers in Europe and the United States on Friday, January 19, 2007, using an e-mail message with a subject line about a recent weather disaster, “230 dead as storm batters Europe”.[6] During the weekend there were six subsequent waves of the attack.[7] As of January 22, 2007, the Storm Worm accounted for 8% of all malware infections globally.

There is evidence, according to PCWorld, that the Storm Worm was of Russian origin, possibly traceable to the Russian Business Network.

Download Links

Link 1

Link 2

Link 3