Talk:Storm Worm

This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computer Security: Computing Low‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.Computer SecurityWikipedia:WikiProject Computer SecurityTemplate:WikiProject Computer SecurityComputer Security articles Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Computing. Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

Whoever wrote "On April 1, 2008, a new storm worm was released onto the net, with April Fools-themed subject titles," where did you get your source? 168.28.180.30 (talk) 23:01, 2 April 2008 (UTC)anonymous[reply]

One part of this article suggests that this worm is distributed via email, but it then suggests that all versions of Windows are vulnerable. But I bet it's fine if you use Pine to check your email -- surely a vulnerable email client must be involved as well? Clarification needed, in my opinion. --RobertStar20 08:35, 18 August 2007 (UTC)[reply]

Not really. The worm is not distributed with the email - the email lures the reader into opening a link to a website which then infects your computer. The vulnerability is in the browser + the fact that they use basic social engineering to lure people. MartinDK 21:04, 30 August 2007 (UTC)[reply]

Not according to the article right now. It goes to great length to explain various email attachment based attacks. (and so does the MacAfe article on Dowloader-BAI) Either people are talking of two very different worms, or some people are distributing serious misinformation. Wefa 01:16, 5 September 2007 (UTC)[reply]

I know that popular culture has coined this as "Storm Worm",but technically, it's a Trojan downloader as it requires user interaction. http://www.f-secure.com/news/fs_news_20070119_1_eng.html -- DigitalSorceress 16:17, 7 September 2007 (UTC)[reply]

If you mean interaction from the botnet controller, that's correct. He has to manually order the Trojan to spam out new versions of itself every few days rather than it having any automated replication (which would classify it as a worm). However, there's not necessarily any interaction required from the victim, as the pages hosting the download use exploits that will automatically install the Trojan on vulnerable browsers.

The article mentions attachments because earlier versions of the Trojan used distribute it via attachments. Newer versions use web downloads, probably because web browsers are more likely to be vulnerable and not having it as an attachment stops the mail being blocked by anti-virus scanners. Deaf-mute 09:09, 8 September 2007 (UTC)[reply]

http://isc.sans.org/diary.html?storyid=3298

It's been hitting hard for a week at least. What's going on here? Isn't this thing dead yet? —The preceding unsigned comment was added by Bluefoxicy (talk • contribs) 18:06, August 21, 2007 (UTC).

How is the botnet controlled by the "owner" if there is no central server? Cryptographically signed messages? --Apoc2400 18:12, 7 September 2007 (UTC)[reply]

I'm guessing it's basically a tree. The central server sends a message to ~30 computers, these computers send messages to ~30 computers each, etc, until each computer receives a command. Now, I have no confirmation that this is how it works, I'm just guessing. ~ Oni Lukos _ct 02:12, 8 September 2007 (UTC)[reply]

The way in which the individual infected computers get controlled might be related to the way other decentralized anonymous networks like Freenet work. 172.158.18.163 08:31, 8 September 2007 (UTC)[reply]

The classic definition of a 'Worm' is a self-propagating malware. This malware is an email mass-mailing 'virus'. 66.129.224.36 18:04, 26 September 2007 (UTC) Dave Killion, CISSP[reply]

The technical definition of a virus is a parasitic, self-replicating program that requires a host file to exist. Storm isn't parasitic and doesn't self-replicate. It's a generally classified as a Trojan, bot or backdoor. —Preceding unsigned comment added by Deaf-mute (talk • contribs) 15:56, 6 October 2007 (UTC)[reply]

so how did it get to be called the Storm Worm? --71.116.133.208 15:50, 23 October 2007 (UTC)[reply]

Often it's hard for AV analysts to fully understand how something works in the time they have available to write protection for it. Someone may have assumed that Storm was replicating automatically rather than acting as a backdoor and spam tool. Deaf-mute 20:46, 23 October 2007 (UTC)[reply]

Since the Storm Worm isn't a worm, the article shouldn't refer to it as one. (ex: "The worm is also known as:")128.227.87.198 (talk) 14:08, 27 November 2007 (UTC)[reply]

Should this article be merged with Storm botnet, because that article is about the botnet that this worm creates? --ZeWrestler ^Talk 15:12, 29 September 2007 (UTC)[reply]

Yes. There isn't enough information in either article to separate them. 199.125.109.62 22:04, 10 October 2007 (UTC)[reply]

Yes, arent't they too related to motivate separate articles? --Apoc2400 18:12, 24 October 2007 (UTC)[reply]

I agree.128.227.87.198 (talk) 14:08, 27 November 2007 (UTC)[reply]

Perhaps this is a strange question to be left with, but the Storm Worm simply DOES an awful lot -- propagate by spam, network P2P-style, autonomously launch defensive DDoS attacks, detect virtual machines, etc. How large is the executable file? It can't be enormous to spread by email, but there's an awful lot of code at work. Can anyone find a citation on this? SpaceToast 21:14, 4 October 2007 (UTC)[reply]

Storm hasn't spread as an email attachment since very early in 2007. Later variants all spread via HTTP with a link in the email. The distributed executable may just be a downloader for the full suite of malware. —Preceding unsigned comment added by Deaf-mute (talk • contribs) 15:58, 6 October 2007 (UTC)[reply]

This website has a nice summary of the storm worm. http://www.schneier.com/crypto-gram-0710.html#1 —Preceding unsigned comment added by 12.168.6.143 (talk) 18:14, 16 October 2007 (UTC)[reply]

Could we move this article to Waledac. proof http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231 —Preceding unsigned comment added by Rabbit67890 (talk • contribs) 03:10, 8 January 2009 (UTC)[reply]

Alright, I have a suggestion/request for a new section in the article on manually removing the virus. I think that it would be very helpful for the people who view the article. I know that I only came here to see if there might be any info on how to help my brother get rid of it, and I imagine that many other visitors come here for similar reasons. Now, I know that it could get a bit sticky, with the variants and what-not, however I assume that most of the variants operate in the same way, i.e.: Create directory 'x', place file 'y', start process 'z', etc. I understand that x, y and z would most likely have different names, in the different incarnations of the virus, however this would help identify patterns for people to look for, and then aid in removing it. Any thoughts? [[User:Mr.Vanker| Mr.Vanker]] (talk) 23:54, 11 November 2009 (UTC)[reply]