Storm Trojan's second wave arrives like a missile

January 19, 2007 Sophos Press Release

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned that the hackers behind the widespread "Storm Trojan" which was spammed widely across the internet on Friday 19 June have now renewed their activities using a new piece of malware, Troj/Dorf-Fam.

Sophos began to see evidence via its global network of spamtraps at 21:52 GMT of the new malware distribution. These latest spam messages, which have a malicious email attachment, have been sighted being sent from computers in 80 different countries so far including USA, Turkey, South Korea, France, Germany, United Kingdom and Brazil.

Subject lines seen so far include:

Attached to each email is a file with one of the following names: Full Clip.exe, Full News.exe, Full Story.exe, Full Text.exe, Full Video.exe, Read More.exe, or Video.exe.

"Many of these subject lines are referring to today's controversial news that China shot down one of its own satellites with a medium-range ballistic missile last week," Graham Cluley, senior technology consultant for Sophos. "It's clear that the hackers behind these attacks are using breaking news stories to tempt computer users into clicking on the dangerous attachments. But if you launch the attached program you are putting your PC and your finances at risk - hackers will break in, steal and cause havoc if they gain access to your computer."

Sophos's gateway products have been updated to detect the messages as spam, preventing them from reaching users' desktops.

Experts at SophosLabs have also issued protection against the malware, calling it Troj/Dorf-Fam.

Customers are advised to ensure that they have automatic updates enabled, and never open unsolicited email attachments, to ensure the highest level of protection. Businesses are advised to consider implementing a policy at their email gateway which quarantines executable attachments sent into their business from the outside world.

"With most people having left work for the weekend, this latest wave of attack is more likely to strike hard on consumers' PCs rather than businesses who at least have until Monday to ensure their virus defenses are up-to-date," continued Cluley. "The gang behind this criminal attack may be relying precisely on the fact that home users tend to be more laid back about updating their anti-virus protection."

Sophos recommends companies automatically update their corporate virus protection, and run a consolidated solution at the email gateway to defend against malware, spyware and spam.