DoS.Storm.Worm is a worm that seeks out Microsoft Internet Information Services (IIS) systems that have not applied the proper security patches. Any such systems that it finds are then infected with the worm. The payload of this worm performs a denial of service attack on www.microsoft.com.
The Trojan is packed using UPX (the Ultimate Packer for eXecutables) and is written in Java. The main 'wrapper' class is 'runner.class'. It starts the various pieces.
1. Read 'datastore'
'datastore' is a class that is handed along and carries a number of configuration parameters. When 'datastore' is first instantiated, it looks for 'storm.cfg' and overwrites any default parameters with values with values it finds in storm.cfg. A new storm.cfg is written if it does not exist.
2. Send e-mail to 'emailreceive' (@gmx.net)
The body of the e-mail is one line listing the host name and IP address of the infected machine followed by the word 'startup.'
3. Setup TFTPd.
This will setup a TFTPd daemon on port 69.
4. Start 'scanner'.
This part scans hosts for a variety of strings to a web server. First, the version id is queried to check if the server runs IIS (see the datastore strings). The strings are listed in 'datastore' and start with 'v' (e.g. v1, v2 ...) the return value is compared to the 'r' strings (r1, r2) in datastore.
For vulnerable hosts, the 'installer' will then try and install (and start) storm on the new machine. See the 'copy' and 'start' variables in datastore. The installer verifies that the new copy is running.
5. Start 'telnetd'
Start a telnet server at the port given by 'telnetport' in datastore (default 23001). The username and password are given in 'user' and 'pwd'
6. Start 'dosd'
Dosd accesses each URL listed in datastore variables starting with 'dos'. By default, this is 'http://www.microsoft.com'
7. Start 'bombd'
Send an e-mail to each address listed in datastore with variable name starting with 'bomb' (e.g. bomb1). By default: gates@microsoft.com. The text of the message is in 'bombtext'
8. Start consoled
Opens console on port 23000 (or 'consoleport') using the same username password as telnetd. Looks like this can be used to remotely configure storm and overwrite various parameters in datastore.
9. Modify register.
All 'datastore' variables that start with 'register' are additions to the system registry. By default, only two are used 'register1' and 'register2' to start storm on reboot.
10. 'mailer'
Mailer sends an email the SMTP server specified in datastore (by default: mail.gmx.net). It uses a username/password to authenticate itself.
