Talk:Storm Worm

Source needed
Whoever wrote "On April 1, 2008, a new storm worm was released onto the net, with April Fools-themed subject titles," where did you get your source? 168.28.180.30 (talk) 23:01, 2 April 2008 (UTC)anonymous

Surely only some email clients are vulnerable??
One part of this article suggests that this worm is distributed via email, but it then suggests that all versions of Windows are vulnerable. But I bet it's fine if you use Pine to check your email -- surely a vulnerable email client must be involved as well? Clarification needed, in my opinion. --RobertStar20 08:35, 18 August 2007 (UTC)
 * Not really. The worm is not distributed with the email - the email lures the reader into opening a link to a website which then infects your computer. The vulnerability is in the browser + the fact that they use basic social engineering to lure people. MartinDK 21:04, 30 August 2007 (UTC)
 * Not according to the article right now. It goes to great length to explain various email attachment based attacks. (and so does the MacAfe article on Dowloader-BAI) Either people are talking of two very different worms, or some people are distributing serious misinformation. Wefa 01:16, 5 September 2007 (UTC)
 * I know that popular culture has coined this as "Storm Worm",but technically, it's a Trojan downloader as it requires user interaction. http://www.f-secure.com/news/fs_news_20070119_1_eng.html -- DigitalSorceress 16:17, 7 September 2007 (UTC)
 * If you mean interaction from the botnet controller, that's correct. He has to manually order the Trojan to spam out new versions of itself every few days rather than it having any automated replication (which would classify it as a worm). However, there's not necessarily any interaction required from the victim, as the pages hosting the download use exploits that will automatically install the Trojan on vulnerable browsers.
 * The article mentions attachments because earlier versions of the Trojan used distribute it via attachments. Newer versions use web downloads, probably because web browsers are more likely to be vulnerable and not having it as an attachment stops the mail being blocked by anti-virus scanners. Deaf-mute 09:09, 8 September 2007 (UTC)

Second wave...
http://isc.sans.org/diary.html?storyid=3298

It's been hitting hard for a week at least. What's going on here? Isn't this thing dead yet? —The preceding unsigned comment was added by Bluefoxicy (talk • contribs).

How is the botnet controlled?
How is the botnet controlled by the "owner" if there is no central server? Cryptographically signed messages? --Apoc2400 18:12, 7 September 2007 (UTC)
 * I'm guessing it's basically a tree. The central server sends a message to ~30 computers, these computers send messages to ~30 computers each, etc, until each computer receives a command. Now, I have no confirmation that this is how it works, I'm just guessing. ~ Oni Lukos ct 02:12, 8 September 2007 (UTC)
 * The way in which the individual infected computers get controlled might be related to the way other decentralized anonymous networks like Freenet work. 172.158.18.163 08:31, 8 September 2007 (UTC)

"Worm" is a misnomer...
The classic definition of a 'Worm' is a self-propagating malware. This malware is an email mass-mailing 'virus'. 66.129.224.36 18:04, 26 September 2007 (UTC) Dave Killion, CISSP
 * The technical definition of a virus is a parasitic, self-replicating program that requires a host file to exist. Storm isn't parasitic and doesn't self-replicate. It's a generally classified as a Trojan, bot or backdoor. —Preceding unsigned comment added by Deaf-mute (talk • contribs) 15:56, 6 October 2007 (UTC)
 * so how did it get to be called the Storm Worm? --71.116.133.208 15:50, 23 October 2007 (UTC)
 * Often it's hard for AV analysts to fully understand how something works in the time they have available to write protection for it. Someone may have assumed that Storm was replicating automatically rather than acting as a backdoor and spam tool. Deaf-mute 20:46, 23 October 2007 (UTC)
 * Since the Storm Worm isn't a worm, the article shouldn't refer to it as one. (ex: "The worm is also known as:")128.227.87.198 (talk) 14:08, 27 November 2007 (UTC)

Merge?
Should this article be merged with Storm botnet, because that article is about the botnet that this worm creates? -- ZeWrestler  Talk 15:12, 29 September 2007 (UTC)
 * Yes. There isn't enough information in either article to separate them. 199.125.109.62 22:04, 10 October 2007 (UTC)
 * Yes, arent't they too related to motivate separate articles? --Apoc2400 18:12, 24 October 2007 (UTC)
 * I agree.128.227.87.198 (talk) 14:08, 27 November 2007 (UTC)

Size of Executable
Perhaps this is a strange question to be left with, but the Storm Worm simply DOES an awful lot -- propagate by spam, network P2P-style, autonomously launch defensive DDoS attacks, detect virtual machines, etc. How large is the executable file? It can't be enormous to spread by email, but there's an awful lot of code at work. Can anyone find a citation on this? SpaceToast 21:14, 4 October 2007 (UTC)
 * Storm hasn't spread as an email attachment since very early in 2007. Later variants all spread via HTTP with a link in the email. The distributed executable may just be a downloader for the full suite of malware. —Preceding unsigned comment added by Deaf-mute (talk • contribs) 15:58, 6 October 2007 (UTC)

Nice Reference
This website has a nice summary of the storm worm. http://www.schneier.com/crypto-gram-0710.html#1 —Preceding unsigned comment added by 12.168.6.143 (talk) 18:14, 16 October 2007 (UTC)

Move
Could we move this article to Waledac. proof http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081231 —Preceding unsigned comment added by Rabbit67890 (talk • contribs) 03:10, 8 January 2009 (UTC)

Manual Removal
Alright, I have a suggestion/request for a new section in the article on manually removing the virus. I think that it would be very helpful for the people who view the article. I know that I only came here to see if there might be any info on how to help my brother get rid of it, and I imagine that many other visitors come here for similar reasons. Now, I know that it could get a bit sticky, with the variants and what-not, however I assume that most of the variants operate in the same way, i.e.: Create directory 'x', place file 'y', start process 'z', etc. I understand that x, y and z would most likely have different names, in the different incarnations of the virus, however this would help identify patterns for people to look for, and then aid in removing it. Any thoughts? &#91;&#91;User:Mr.Vanker&#124; Mr.Vanker&#93;&#93; (talk) 23:54, 11 November 2009 (UTC)