New infected Christmas-e cards signalled, giving you a Storm worm variant!

Hi malware fighters,

Storm worm has landed on thousands of computers again in the form of an e-card download, the actual payload is zhelatin.pe (a variant of Storm worm) while people think they are actually downloading a recent version of Adobe Media Player. See: http://www.cisrt.org/enblog/read.php?208
Next to the Christmas-e card one is also tempted to download malware through a stripshow from Mrs. Claus. That e-mail has various topics, like for instance “Warm Up this Christmas” or “Your Secret Santa”. The link inside the message is for a website, offering an .exe file.

The domainname used has been registered via nic.ru, and being hosted on a fast-flux network consisting of minimal a 1000 nodes. Just like with other variants the malware binary is being altered every 15 minutes.

polonus

This again illustrates the fact that you can’t just click on anything sent your way.
Until this fact is instilled in the average user, there will always be an army of infected
systems to contend with.
If you didn’t ask for it or you can’t verify it’s authenticity, consider it spam regardless
who sent it to you. :slight_smile:

I really can get excited about these new variants of an old theme, when common sense and proactive measures would stand you in good stead. We can publish this sort of this on a forums like this and it is likely to have little effect as hopefully those using this forum are already showing a degree of common sense.

Not opening attachments or clicking links in unsolicited emails without checking, checking, checking. VirusTotal, SiteAdvisor, DrWeb link checker, etc. etc.

avast! is already protecting users from this worm…

Hi RejZoR.

Just to be complete I give the manual cleansing routine for zhelatin.pe variants:

Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).

Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).

Delete the following files:

%System%\alsys.exe
%System%\wincom32.ini
%System%\wincom32.sys

Delete all copies of the worm.

Delete the following system registry entries:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“Agent” = “%System%\alsys.exe…”

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
“Agent” = “%System%\alsys.exe…”

Update your antivirus databases and perform a full scan of the computer

That you may surf secure during Christmas, is the wish of

polonus