Skip navigation.
Home

Storm worm

|

Does anyone has a copy of this widespread worm?
Thanks

Never mind, i got it by

Never mind, i got it by search. thanks

Misc Info About Storm Worm, and MD5s of Known Samples.

These are my hastily edited notes:

Outside References:
http://en.wikipedia.org/wiki/Storm_Worm and
http://www.symantec.com/enterprise/security_response/weblog/2007/01/trojanpeacomm_building_a_peert.html

(The Symantec one is for a different worm than this. The Storm Worm(s)
that I ran like to use ports 7871 the most, followed by 4667, and then
random ports between 2345 and 62624 (whatever those eDonkey peers had set
their clients to use.))

There's a file in the worm that's basically this:

[counter]
Counter=0
[peers]
00cfed21483926536128f06ceb479d8a=ACCCD8EE150B00
019fc63b3137a6806e5fcd70b1a5139a=9A25428D1EBF00
2d32b3f2a0476d167929bf7e6d0c1aa2=543F05B2177201
2d736cb7f396677aa569f61a9994bca2=D51AD5961A7500
2d8103bfe0756a2a5798ea2a1d7bebe8=A135A605177F00
2d8aae15f6e40821c9031084a28b4cae=52EE4FD51E0200
2daf33b3329cf8e09df3ea7f95534dd8=53FE44ED297B00
305dcc2c31a4f7249edf011ac494aef0=9A2542751EBF00
[ etc. ... ]

Which is exactly an eDonkey peer list. All of the UDP packets are
"eDonkey Publicize File" announcements.

01a1115bcb0d5e32a98c76a50ac8868d This one didn't work in my sandnet.
15362ba7c244b409e18b0ed2fa9dcbfd This one spews eDonkey packets.
2690518a0afdc6c60b0681650a2b0512 This one spew eDonkey packets too.
3860247b57bfd246eb00fc52c1ea3bea This one didn't work.
555584729f9eae43df434ecac856ef25 This one spews eDonkey.
6183982ddd26c2b9551bceddcc934d81 This one didn't work.
6b9721d5bde2b987b593f6306d6b049c This one spews eDonkey.
94af7e370156298525bcb3e8b3830c5e This one Spew eDonkey too.
e8a0b134e8be2fb175c0efd00ee05d66 Spew Spew Spew.
fe606f76fa6a0723ab8a93fabea28ab1 Spew Spew Spew Spew.

The .EXEs that didn't work, might just be because the packer crashes on Win2K SP0 or something. (That's what I was running in my sandnet.) I have lists of IP:PORTs for each of these samples, but you can just run them to gather the same data.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*