storm worm virus

[Simpson]

I just recently received this email & dont know if it is true?

You should be alert during the next few days. Do not open any message with an attachment entitled 'Invitation' OR ONE CALLED 'POSTCARD,' regardless of who sent it to you. It is a virus which opens an Olympic Torch OR A POSTCARD IMAGE, which 'burns' the whole hard disc C of your computer. This virus will be received from someone who has your e-mail address in ! his/her contact list.

Every week I run my antivirus which is up to date & am not sure if this has to do something with it or not?
Thanks for any info.

[Zachary]

It sounds to me about the Hoax virus which is very old.

More info about it here: http://antivirus.about.com/od/emailh...invitation.htm

[Mr. Boo Bear]

In any case if you get this kinda virus follow the instructions below to remove it.

HOW TO REMOVE STORM

How can I verify my computer is infected?

UCSD's Network Security team compiles and monitors a list of IP addresses of computers on the Internet known to be infected with Storm Worm. This list is being compared with the logs of computers that have been visiting one of several UCSD sites, such as Tritonlink. If you get redirected to a "Storm Worm Alert" page when you try to visit Tritonlink (or any other UCSD sites using Single Sign On authentication), the IP that your computer is associated with is on our list of Storm Worm infected machines.

However, if you get redirected to a "Storm Worm Alert" page and you are at home with multiple computers connected oline, the computer you use may not actually be infected. home computers are typically behind a router. When you connect from a shared network connection such as this, all computers behind the router will appear to have the same public IP address. If you have been redirected here when you try to access Tritonlink, there is at least one infected computer on your shared network. The only way to find out which computers are infected is to run an antivirus program on all of your home computers.

Antivirus programs are currently unable to completely identify the Storm Worm virus/bot, but will identify parts of it. If your antivirus program finds anything from this following list on your computer, you have been infected by Storm Worm and you must address the problem immediately:

Agent
Crypt.XPACK
Dorf
Downloader-BAI
Dropper.gen6
Fathom
Fuclip
Groan
Killer.Ecard
Nuwar
Packed.13
Packed.142
Packed.145
Peacoan
Peacomm
Peed
Rootkit.47744
Rootkit.dam
Sintun
Small
Sploder
Stormworm
Tibs
Trojan.Spambot
TR/Patched
Win32.Spamtool
Zhelatin

What do I do if my computer has Storm Worm?

There are two options for securing your computer if it is infected with Storm Worm:

-Remove the virus. There are three ways to do this:

1.Some variations will be detected and removed by the latest Microsoft
Windows Update. Run Windows Update and install the latest patches, or
specifically, download and install the September Microsoft Windows Software
Removal Tool at the
Microsoft
Download Center.More information can be found on Microsoft's Knowledgebase Article 890830.

2. Some antivirus software with updated virus definition files may be able to
detect and remove parts of the Storm Worm viruses.

3. If the first two methods fail to remove the virus, you can contact ResNet
to have a technician help you remove it. Whether you bring in your machine
to our Helpdesk or you schedule an appointment to have a technician come to
your location, Storm Worm removal typically takes up to 30 minutes. Newer
variations will require someone trained in removing the Storm Worm virus.

-Reformat your computer. This involves wiping all your data off of the hard
drive and reinstalling your operating system. We strongly recommended you
enlist the help of a computer specialist if you feel you will not be
comfortable following step-by-step instructions. Some large computer chain
stores provide this kind of service (CompUSA's "Techknowledgists" and Best
Buy's "Geek Squad").

source: geekdeep.blogspot.com

[Janos™]

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Characteristics -

This worm arrives as a self-extracting ARJ archive 3342142 bytes long. The archive contains a copy of a Java environment, plus several .CLA files which perform the main worm functions. A BAT file executes the worm on startup. It tries to perform a denial of service against microsoft.com and mailbomb gates@microsoft.com

Symptoms -
System slowdown.

Method of Infection -
The worm scans random addresses for unprotected Microsoft IIS servers. It attempts to use an exploit to run its code on the server. If it succeeds it will extract the ARJ file to the c:\winnt\system32\storm directory and add a registry key to run c:\winnt\system32\storm\start.bat

Removal -
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.


PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

Source: vil.nai.com