Security Alert: Stormworm trojan horse affecting Windows computers on campus 8/17/07
Stormworm, a trojan horse that affects computers running Windows 2000, XP, or Vista, has been found at Cornell. (Symantec calls it "Trojan.Peacomm".)
** Please exercise extreme caution when viewing unsolicited e-mail, and make sure your Symantec AntiVirus definitions are up to date. **
Stormworm propagates via an e-mail message that contains misleading content and a link to an electronic greeting card, postcard, news video, or similar.
When the link in the message is visited, Stormworm downloads itself from one of thousands of possible computers on the Internet, sets up residence, and awaits further instructions.
Because it relies on social engineering and the e-mail message itself contains no hostile payload, the university's traditional e-mail virus scanning is ineffective. As always, unsolicited e-mail should be regarded with great suspicion.
Symantec AntiVirus is available to all members of the campus community at no charge via Bear Access or at:
http://www.cit.cornell.edu/software/downloads/antivirus/For more information about protecting your computer from e-mail worms and viruses, see:
http://www.cit.cornell.edu/security/emailvirus.html* More details
Stormworm was identified in January 2007 by F-Secure, the Finnish security company that performed the first analysis.
In contrast to conventional botnets, where a small handful of controllers manage a large number of compromised systems, Stormworm forms a peer-to-peer botnet involving dozens or hundreds of similar compromised systems in a manner designed to confound conventional detection and protective efforts. Management of the compromised computers is not done through centralized servers, but distributed throughout the network.
Stormworm propagates through social engineering rather than exploitation of weaknesses in the Windows operating system or software. Unsolicited e-mail ("spam") arrives bearing a sensational, controversial, or misleading subject and a link.
The link appears to be to an electronic greeting card, postcard, news video, or similar innocuous source. When the link is visited, Stormworm installs itself, joins its peer-to-peer network, and awaits instructions. Compromised systems have been used as the source of additional spam, denial of service attacks, and various other disruptive activities.
* Symantec Info
Symantec AntiVirus identifies Stormworm as Trojan.Peacomm. Definitions dated January 19, 2007, or later can detect it. For more information and details on removing it, see:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99
Thank you for your attention to this message. We hope it has provenuseful.
Cornell Information Technologies
IT Security Office
If you need help and don't have access to local technical support personnel for assistance, please contact the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.
You can receive messages like this via e-mail by subscribing to the CIT-Alert-L mailing list, which is used to distribute announcements about significant disruptions or threats to the campus computing and telecommunications environment. Visit the CIT-Alert-L subscription page
Last modified: August 17, 2007