Virus Alert: Storm Worm

Storm Worm invades via e-mail. If you open a Storm Worm link, you'll immediately be prompted to download an applet, something users often do without thinking. Storm Worm e-mail messages constantly change, so watch for new twists in spam subject lines. Follow these guidelines:

• Delete spam without opening it or clicking links, especially messages with subjects like these:
  • You have received a postcard from
  • Your log-in information (message verifies membership to a site you don't remember signing up for)
  • Check this film out! (message invites you to view a youtube.com clip)
• Stop and consider the consequences before you agree to download something or open, allow, or disable a port.
• If you're not sure that an e-mail is from a friend or colleague, check with the other person before opening the e-mail.
• Keep your antivirus software current with automatic updates.
• Activate your computer's firewall.

Storm Worm affects only Windows XP users. If you use Windows XP and your computer runs more slowly than usual or you see unexpected pop-up windows, you may have a virus. Try one of these strategies to check for Storm Worm:

• Try logging on to a Single Sign-On application such as FinancialLink. UCSD uses Single Sign-On to screen for Storm Worm, so if your machine is infected, you'll be directed to a special page.
• Run your antivirus software. If your software finds any bits of code listed below, disconnect from the Internet immediately because your computer has Storm Worm.
  • Agent
  • Crypt.XPACK
  • Dorf
  • Downloader-BAI
  • Dropper.gen6
  • Fathom
  • Fuclip
  • Groan
  • Killer.Ecard
  • Nuwar
  • Packed.13
  • Packed.142
  • Packed.145
  • Peacoan
  • Peacomm
  • Peed
  • Rootkit.47744
  • Rootkit.dam
  • Sintun
  • Small
  • Sploder
  • Stormworm
  • Tibs
  • TR/Patched
  • Trojan.Spambot
  • Win32.Spamtool
  • Zhelatin

If you have a department computer support contact (or DSA):

• Notify your support contact immediately.
• Explain that you think your computer has Storm Worm and must be removed from the UCSD network.
• A patch is available to remove Storm Worm. Your DSA may run this patch for you, or direct you to follow the instructions.

If you don't have a department computer support contact:

• Disconnect your computer from the UCSD network.
• Contact the ACT Help Desk at (858) 534-1853, ACMS Desktop Support, or Computer Repair and Installation. Explain that you think your computer has Storm Worm and your department does not have technical support. They may direct you to a patch to remove Storm Worm.
• If you need to schedule a repair, both Desktop Support and CRI will charge your department via recharge.

To remove Storm Worm, you can either download a patch (developed by ACT), or reformat your computer and then reinstall Windows and any other programs from original disks. (You may want to hire a computer repair specialist to avoid losing important data. Expect to pay up to $500.)

If you decide to remove Storm Worm yourself, follow the instructions for installing the patch. UCSD does not take any responsibility for harm to your computer that may result.

If you decide to reformat your computer:

• Copy your data to a safe place. You will need blank DVDs, CDs, or an external hard drive large enough to store all your data. You will lose everything you don't back up.
• Reformat your hard drive.
• Reinstall Windows and other programs using your original disks.
• Make sure your antivirus program and Windows are set for automatic updates.
• Activate your firewall.