sudosecure.net

I just now caught the Storm Worm web pages using obfusticated JavaScript to identify your Operating System by searching your UserAgent. If the exploit doesn't work you will be directed to the old Storm Codec page mentioned in my last post, where you can still download the Storm Worm manually. I have not completely deobfusticated it as of yet, but here is a copy of the code I am chomping away at now: storm_codec_javascript . Initially it looks like they are using the MS06-14 Microsoft Data Access Components (MDAC) vulnerability to download "load.exe". I submitted load.exe to VirusTotal and here are the results: Load.exe Results. As you can see (13/31) there is not a lot of coverage from the Antivirus Companies right now.

So it does in fact look as though the Storm Worm authors were up to something new after all. More to follow when I have a chance to work with this code some more.

UPDATE: I just started working on the "flow.php" file and was able to identify it is trying to use the vulnerability addressed in MS05-052. Here is the clsid I was able to extract: "EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F" from the attempted exploit... Again more to come, but I need to stop now and head into work....

UPDATE 2: I changed the JavaScript text file to a PDF, as I have gotten a few emails from people about their Antivirus software alerting on it...  I didn't think a text file would execute the JavaScript.  Sorry about that!  Here is the new link: storm_codec_javascript