Your current Web browser may not display this site properly.

TrendSecure performs best when opened with the latest version of either Microsoft Internet Explorer or Mozilla Firefox .

The Storm That Created a Storm

The "Storm Trojan," a Trojan horse program detected by Trend Micro as TROJ_SMALL.EDW, appeared January 19, 2007, infecting PCs worldwide with the majority of infections occurring in the Asia Pacific region. It is a Web threat with multiple malware components that uses a rootkit to evade detection and ultimately works to create a peer-to-peer controlled botnet.

The Trojan arrives via two infection vectors:

  • As a file dropped by other malware, specifically WORM_NUWAR.CQ, a mass-mailing worm that propagates using love-inspired subject lines. "The Miracle of Love," "My Perfect Love," and "A Bouquet of Love" are just some of the many possible subject lines.
  • As a file attached to a spammed email using subject lines related to current events, such as "230 Dead as Storm Batters Europe," to lure its recipients into opening. Other subjects include: "A Killer at 11, He's Free at 21 to Kill Again"; "British Muslims Genocide"; and "U.S. Secretary of State Condoleeza Rice has Kicked German Chancellor Angela Merkel".

The email method of transmission employs common social engineering techniques in the form of headlines that are relevant to current events and "love" related subjects possibly inspired by Valentines Day. It does this to entice users to open the corresponding attachment, which appears to be a video of the supposed news story. The malicious files use names such as full Clip.exe, full Story.exe, full Video.exe, and read More.exe.

According to Ivan Macalintal, Senior Threat Analyst at Trend Micro, while this Trojan utilizes common propagation techniques, the Trojan is unique. "This is one of the first Trojans we have seen that creates a large P2P (peer-to-peer) botnet. Typically botnets use IRC (Internet Relay Chat) for C&C (command and control) functions. With IRC botnets becoming more easily detectable, it appears malware writers are exploring new techniques."

Storm infections appear to have peaked on January 22, 2007, and began subsiding on January 23. Trend Micro recommends the following to protect businesses and consumers:

  • Ensure you protect your PC and/or network with URL filtering, a rootkit scanner and an email scanner.
  • If you are an IT administrator, help protect your users and network by blocking all the URL's listed on the Technical details page within Trend Micro's description of TROJ_SMALL.EDW.
  • If you do not have a sufficient URL filtering capability, do block access to the URL's listed here. Only visit Web sites with which you are familiar and do not download files from unknown sources.
  • Do not open any emails or attachments from those you don't know. Do not open up executable files (.exe) attached to emails.
  • If you want to be sure you have not been infected by this, please run a manual scan with your updated Trend Micro product, or with HouseCall, Trend Micro's free online virus scanner. HouseCall is available here.

For additional or updated information on this threat, see Trend Micro's Virus Encyclopedia.

For specific information on prevention and clean-up, see Trend's Solution information.