Aliases: DoS.Storm.Worm
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 10 Jun 2001
Damage: Medium

Characteristics: The W32.Storm.Worm application looks for Microsoft IIS systems that do not apply the apropriate security patches. Any of the systems that it locates are then infected with this worm.

More details about W32.Storm.Worm

When the worm searches a system that is vulnerable, it will easily duplicates itself to the aimed system and it will then sets up automatically run the W32.Storm.worm, efficiently it makes the infected system a zombie participating in the e-war of the hackers. In able to be sure that this worm runs in the next start up system, this worm adds a value to some of the registry keys. This worm consists of two payloads. First is the denial-of-service attack that is set off against the http:/ /www.microsoft.com. Second is an email bombing session starting to send messages in email that contains messages that are obscene to the gates@microsoft.com. All the detected files as W32.worm must be deleted. Remove all the added values in the registry.

The W32.Storm.worm is not related to the dangerous Small.dam or Nuwar worm, commonly called as the Storm worm, which is liable for the widespread Storm botnet. Since 2001 this worm is low-infection, low impact kind of worm that are being removed by all of the major antivirus solutions. Once this worm is run, thread of server FTP sets up and starts scanning IP addresses for about 10,000,000 in attempting to search a system that is vulnerable at one of the aimed addresses. The targeted vulnerable systems are installations of Microsoft IIS version 4 and version 5 that have no installed security patches to wrap “Web Server Folder Traversal” security vulnerability.