Is win-98 vulnerable to the Storm virus/trojan?

[98 Guy]

Anyone know if the Storm virus can infect win-98 systems?

It's my understanding that storm normally infects a system by triggering a buffer-overrun vulnerability in IE or some ie-related component, but that it requires very specific code to correctly execute with the intended result, and exploit code written for 2K or XP may not (or will not) run correctly on 9x.

Anyone know for sure if this is the case?

[galahs]

Looks like it does

http://www.snopes.com/computer/virus/storm.asp

http://themostboringblogintheworld.wordpre...-years-but-why/

http://antivirus.about.com/od/virusdescriptions/p/storm.htm

[98 Guy]

Looks like it does

According to one of those references:

"the malware installs the wincom32 service"

How can it install a service on a system running Win-9x ???

Also:

"The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader."

So the exploit is hosted on a web server, with the e-mail serving as just a pointer to the exploit.

My question - what is the exploit being leveraged by the generic downloader?

The last reference says this:

"The Storm email worm may drop the the file 'wincom32.exe' into the Windows system directory (typically, C:\Windows\System under Windows 95/98/ME, C:\Winnt\System32 under Windows NT/2000, and C:\Windows\System32 under Windows XP."

It's unclear whether the wincom32.exe file is actually part of the storm e-mail, or if that file is referenced in a web-link that is visible in the e-mail.

If the wincom32.exe is an attachment to the e-mail, then it's not likely that it would be executed by OE or Outlook (the most common e-mail apps) because of how they handle attachments like .exe's. If wincom32.exe is remotely hosted, then again there is missing information as to how a browser is tripped up into downloading and executing it.

[eidenk]

Looks like it does

According to one of those references:

"the malware installs the wincom32 service"

How can it install a service on a system running Win-9x ???

Also:

"The e-mails, many of them otherwise empty, contain a link to a compromised Web site where machines are infected with a generic downloader."

So the exploit is hosted on a web server, with the e-mail serving as just a pointer to the exploit.

My question - what is the exploit being leveraged by the generic downloader?

The last reference says this:

"The Storm email worm may drop the the file 'wincom32.exe' into the Windows system directory (typically, C:\Windows\System under Windows 95/98/ME, C:\Winnt\System32 under Windows NT/2000, and C:\Windows\System32 under Windows XP."

It's unclear whether the wincom32.exe file is actually part of the storm e-mail, or if that file is referenced in a web-link that is visible in the e-mail.

If the wincom32.exe is an attachment to the e-mail, then it's not likely that it would be executed by OE or Outlook (the most common e-mail apps) because of how they handle attachments like .exe's. If wincom32.exe is remotely hosted, then again there is missing information as to how a browser is tripped up into downloading and executing it.

Your html email only contains a hidden link (iframe of size zero or something like that probably) to a web page on which the download and execute exploit (scripting exploit) is hosted as I understand it. The malware itself may be located on another server.

That type of exploit does not require any user interaction apart from viewing the initial webpage or html email I think because the iframe page uses the javascript onload event which can automatically execute a script on page load which means that opening your mail is probably enough to get infected.

BEST THING ANYWAY IS TO NOT USE OE OR OUTLOOK OR ANY EMAIL CLIENT USING THE IE RENDERING ENGINE TO DISPLAY HTML.