Is your computer infected with the Storm Trojan?
First, some background information about the Storm Trojan.
Since July 1, 2007, I have written several blog articles warning people to be on the lookout for email scams that contain links that cause Windows computers to become infected with the Storm Trojan. This malware threat has already infected more PCs than any other in the history of personal computing. In August of 2007 estimates put the total number of infected computers at anywhere from 1 million to over 5 million! All of the infected computers acquired the Storm Trojan through social engineering trickery of their human owners.
Early varieties of the Storm Trojan, which began circulating widely in January, 2007, used catchy news headlines (some true, some false), such as news of hundreds of people killed by storms raging across Europe. Early payloads were carried in hostile attachments, offering more information or the full story, but were rigged with the Storm Trojan malware. Later, in mid-2007, the authors began shifting away from using attachments and started providing links to the already infected computers, which were now used to host web pages that carried exploit codes and copies of the Trojan itself. The owners of these computers had no idea that their machines were being used for this purpose, and other purposes even more sinister.
It was in June 2007 that I began to notice suspicious numeric links in email spam messages, that characterized the new breed of the Storm Trojan. There were several phases where different techniques were employed, all designed to appeal to human curiosity and which snared more and more unsuspecting victims into the ever-growing Storm Botnet. There were e-cards, postcards, verification messages, free music, free games, funny cats, dancing skeletons, Naughty Christmas cards and now, New Years greetings postcards. All of these scams contain a link which the person reading the email must click on. If you are running a windows computer that has not been fully patched against all known vulnerabilities in the wild, and you clicked on one of those links, chances are good that your computer has become a "zombie" member of the Storm Botnet.
Most of the time, the owners of these compromised machines don't know what is happening behind the scenes, as all of this activity is hidden from the user interface. The only give-away that something is amiss would be occasional unexplainable computer and Internet slowdowns, along with periods of high activity on their (external or broadband) modem "activity" lights, as thousands of spam emails, or DDoS attacks are launched from their computer. So, aside from flickering modem lights, how can you tell if your Windows computer has been infected with the Storm Trojan?
Since the Storm Trojan has been around for about a year now, it is safe to say that all anti virus and anti spyware programs have definitions to detect and eliminate this threat. If you have an anti virus and/or spyware program, make sure your scanning engine is fully current, and the definitions are up to date, then reboot into Safe Mode and scan all files. Safe Mode scanning is recommended, because, although the Storm Trojan installs its "service" as a hidden "rootkit," it still has supporting processes and files that can be stopped and deleted from Safe Mode. After the support files and registry entries are terminated the rootkit infector will be vulnerable. With any luck your security program will find and remove the files and services associated with this Trojan.
If you don't have an anti virus or anti spyware program on your Windows computer you are probably already infected with all manner of malware. There is a manual method that you can use to determine if your computer has/might have the Storm Trojan. A rootkit keeps its own main operational files from being viewed in Windows Explorer, or in Command Windows, by intercepting attempts to find those file names, or slight variations of their names and sending a null result to the screen. These are known as "super hidden" files. So, if your computer does have a rootkit infector and you were to look for their presence using a Windows Search, or a "Dir" command in a DOS Command window, the rootkit file(s) would not reveal themselves to you. Interestingly, if you were to create a new text file on your Windows desktop, with the same prefix as the rootkit's files, that file would instantly disappear from view, or would not appear in a DOS Window directory listing.
While the Windows desktop file may or may not work as described, a Command Window can be used to reveal the presence of the Storm Trojan's rootkit.
Since Windows Explorer refuses to display super hidden rootkit files and services, a good old DOS window and some special commands might do the trick, by hiding a specially named file that you just created. Here's what you need to do to check for the presence of the Storm Trojan rootkit component.
- Go to Start > Run and type in: CMD and press Enter
- A "Command" Window will open, with a blinking cursor, waiting for text input from you.
- Case doesn't matter with these commands.
- In the Command Window type this: copy con spooldr.txt
- Press Enter. The blinking cursor should move down to a blank line.
- Type a few words to create some filesize, then press F6. You should see a ^Z, after the last character that you typed.
- Now, press Enter. You should see "1 file(s) copied" and the cursor will blink again on a new command line.
- At the blinking cursor, type: DIR spooldr.txt and press Enter.
- If you see a report showing 1 file(s) and a filesize in bytes and the file name, you have passed the first test.
- Repeat rules 4-8, substituting these filenames each time: noskrnl.txt, wincom.txt, clean.txt, bldy.txt
- If all of these files are listed in the DIR results, you're probably ok (the file names are now being changed frequently), but, if the DIR command shows 0 files found for any of these files, you are infected with the Storm Trojan and it's rootkit.
- If all of these files show in a DIR listing, you should delete them by typing: DEL filename.txt (substituting the actual filenames) and press Enter and the named file will be deleted.
I advise you to leave disinfection of rootkit threats to professional grade security applications, like Norton, McAfee, Kaspersky, or TrendMicro Anti Virus programs, or Webroot Spy Sweeper, or PCTools Spyware Doctor. There are links to some of these programs on this blog. Some of them offer a free trial download, and others offer a free online scan. If you can't afford one of these commercial programs you can download (install and update!) AVG Free Anti-Virus, or SpyBot Search and Destroy, which is also free, from the links in the right sidebar >>>
If I come up with some effective manual removal instructions, that can be used by the average computer owner, I will post them in a follow-up blog article.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.