Storm Worm detected (UDP_Storm_Worm)

About this signature or vulnerability

IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, RealSecure Network, RealSecure Server Sensor, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:

This signature detects Storm Worm encrypted UDP publicize messages. The number of hosts and ports required to trigger this signature is 'pam.udp.stormworm.count' (30) and the interval in which probes are analysed is 'pam.udp.stormworm.interval' (60) seconds.

This event detects Storm Worm encrypted UDP publicize messages.

The number of hosts and ports required to trigger this signature is pam.udp.stormworm.count (default 30) and the interval in which probes are analysed is pam.udp.stormworm.interval (default 60) seconds.

Default risk level

High risk vulnerability High

Sensors that have this signature

IBM Security Server Protection for Windows: 1.0.914.2180, IBM Security Server Protection for Windows: 2.0.252.2180, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 28.040, Proventia-G 1.1 and earlier: XPU 28.040, Proventia Network MFS: XPU 28.040, BlackICE PC Protection: 3.6cqx, BlackICE Server Protection: 3.6.cqx, RealSecure Network: XPU 28.040, RealSecure Server Sensor: XPU 28.040, Proventia Desktop: 2180, Proventia Network IPS: XPU 28.040, Proventia Server IPS for Linux technology: 28.040, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows Vista

Type

Unauthorized Access Attempt

Vulnerability description

The Storm Worm is a mass-mailing email worm that sends a Trojan dropper via a malicouis email message. Once executed, the Trojan installs a rootkit and causes the infected system to become part of a botnet. The Storm Worm is also know as the following names:

Small.dam or Trojan-Downloader.Win32.Small.dam (F-Secure)
CME-711 (MITRE)
W32/Nuwar@MM and Downloader-BAI (specific variant) (McAfee)
Troj/Dorf and Mal/Dorf (Sophos)
Trojan.DL.Tibs.Gen!Pac13[3]
Trojan.Downloader-647
Trojan.Peacomm
TROJ_SMALL.EDW
Win32/Nuwar
Win32/Nuwar.N@MM!CME-711
Trojan.Peed, Trojan.Tibs

How to remove this vulnerability

Use an up-to-date antivirus program to determine if the target computer is host to the Storm worm. If the program detects a backdoor, follow its instructions to disinfect and repair the computer.

References

Windows Live OneCare Web site
Virus Encyclopedia: Worm:Win32/Nuwar.N@mm!CME-711
http://onecare.live.com/standard/en-us/virusenc/VirusEncInfo.htm?VirusID=8470957

Common Malware Enumeration (CME) - CME List
CME-711 is a Trojan Downloader that is spread as an attachment to emails with news headlines as the subject lines which downloads additional security threats
http://cme.mitre.org/data/list.html

ISS X-Force
Storm Worm detected
http://www.iss.net/security_center/static/40812.php