A detailed analysis was provided, here
, on the new version of the Storm Worm
making it's rounds this week. I went looking in our logs for HTTP POSTs to three and four character GIF and JPG files with relatively small request and response sizes (<1000 bytes). What I found was a number of transactions to 220.127.116.11 (on Telos, no PTR record).
A small snippet of transactions:
There is a ThreatExpert report
on the related server / malware, which is identified as Email-Worm.Zhelatin (name used by Kaspersky and F-Secure for the Storm Worm
). The infected hosts connect out to mail servers in attempts to mass-mail and infect others. Here is a list of some of the email servers that it connects to:
Keep an eye out for these types of transactions within your networks.