Storm worm April Fool’s Day edition

Jose Nazario posted to the Arbor Networks Security Blog:

The Storm Worm is out and about with a new lure campaign, this one centered on the April Fool’s Day holiday tomorrow. The campaign appears to have started in the past few hours, and reports indicate it was in preparation for the past 24 hours or so. Example messages look like this:

Doh! April’s Fool. http:// 86.121.253.168/

So raw IPs as the URL. No major changes, but here are the specifics for this variant:

” Peerlist: C:WINDOWSaromis.config
” Installs as: C:WINDOWSaromis.exe
” As always, listens on a random UDP port, makes a lot of outbound connections, allows itself to the firewall via “netsh firewall set” and via the registry, uses w32tm to update its clock, and so on.