Storm Worm/Zhelatin -A very dangerous April Fools joke that’s on you
// March 31st, 2008 // 2 Comments » // Malware Related, Spam related, Storm Worm
With April fools fast approaching, the gang behind the storm worm/zhelatin malware has made a reappearance.
There is currently a large amount of spam doing the rounds, pointing to malicious domains hosting the storm worm malware, some of which has also made it into my spamtrap/honeypot.
Currently, the two files being touted (at least from the domain I visited) are kickme.exe and foolsday.exe and funny.exe, all incarnations of the storm worm/zhelatin trojan which are very badly detected by the major AV companies.
Users visiting the websites serving storm worm will probably be greeted with an image similar to the one below:
…..before the storm worm is downloaded to their computer.
AV detection results for the samples I recovered (kickme.exe and foolsday.exe) are not inspiring at the moment, although vendors should shortly be pushing signatures for this latest batch of storm worm in the very near future.
As one can expect, the April Fool is most definitely on you, as executing the files found on this website will lead to the zombification of your computer, and exclusive membership of the storm worm botnet, leaving your computer at the command of the storm worm gang…bad news for you and me, very good news for them 
Advice at the moment is to be very cautious of emails offering some sort of april fools joke/card/download and bin these, especially if they are coming from an email address you do not recognise.
Once executed, Storm worm will drop the file C:\WINDOWS\aromis.exe , proceed to disable the built-in windows firewall with a simple command/key creation:
netsh firewall set allowedprogram “C:\WINDOWS\aromis.exe” enable
HKLM\?SYSTEM\?CurrentControlSet\?Services\?SharedAccess\?Parameters\?FirewallPolicy\?StandardProfile\?AuthorizedApplications\?List  |
C:\?WINDOWS\?aromis.exe | C:\?WINDOWS\?aromis.exe:*:Enabled:enable |
and then it sits listening on a random port for instructions from the botnet master. Your computer is by this stage under their control.
Kaspersky Lab’s virus analysts have just confirmed the presence of malware in those two files, and will be pushing an update for it within the hour. If you are infected, I would advise a free trial download of Kaspersky Anti Virus from http://www.kaspersky.com/trials which will deal with the infection nicely after a My Computer scan 
(Consider buying it if it helps you to cure the infection, developers need support too!)
A sandbox analysis of the two samples I have tested can be found here:
http://analysis.seclab.tuwien.ac.at/result.php?taskid=1b30cd8f5c2fd554955af4f1f02e78ed&refresh=1
http://analysis.seclab.tuwien.ac.at/result.php?taskid=d32a8ddac8e00534611f130f6126bce4&refresh=1
(Credits to SECLAB @ Vienna University of Technology for their awesome tool)
Credits for heads up to Alex Eckelberry of Sunbelt Software and Jose Nazario from Arbor Networks
