Network News

X My Profile
View More Activity

Storm Worm Victims Get Stock Spam Pop-Up

If you're a Windows users and today received a surprise pop-up advertisement urging you to invest in an obscure penny stock, it is highly likely that your computer is infected with the virulent Storm worm, a nasty intruder that currently resides on an estimated 200,000 PCs worldwide.

Criminal groups that control the pool of Storm-infected computers have traditionally used those systems to pump out junk e-mail ads touting thinly traded penny stocks as part of an elaborate and ongoing series of "pump-and-dump" schemes. But today, according to security researchers, the Storm worm authors went a step further by causing a pop-up ad for a particular penny stock to be shown on all infected machines.

Atlanta-based SecureWorks tracked the latest Storm activity, which began earlier this morning. The pop-up, shown in the image to the right, touts a microcap stock for Hemisphere Gold Inc. [HPGI.PK] as a "strong buy." Joe Stewart, a senior security researcher at SecureWorks who has closely tracked Storm since its inception in January, said this is the same stock that Storm-infected machines advertised in a traditional spam run that began Monday evening.

For those readers who received this pop-up, the news only gets worse: Detecting and removing a Storm infestation can be exceedingly difficult, as it is programed to regularly mutate its digital make-up. Part of Storm's sneakiness stems from the fact that it ships with what's known as a "rootkit," a set of computer instructions designed to hide the malicious files and system processes that carry out most of the worm's activities. It does this essentially by inserting those components into legitimate Windows processes and drivers -- such as "tcpip.sys," the driver that handles core Internet networking functions on Windows systems.

"By injecting itself into regular Windows processes and hijacking Windows drivers, Storm doesn't give you much to grab onto there," Stewart said. "Most people are going to have to depend on their anti-virus vendor to eventually get updated to detect whichever Storm variant is on their machine, or pay an expert to find it on their machine and remove it."

Image courtesy

Predictably, anyone who was foolish enough to snap up shares of the Storm-touted stock -- HPGI.PK -- lost money in trading. The company's share price fell 15 cents today, from $1.15 per share to $1.00. A noticeable and uncharacteristic uptick in trading volume on this stock is evident over the past week, possibly indicating that groups allied with the Storm worm authors were taking a position in advance of this spam campaign.

I put a call into Hemisphere Gold and am awaiting a response. I'll update this post if the company issues a comment or responds to my query.

By Brian Krebs  |  November 13, 2007; 5:11 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Plugs Critical Windows Security Hole
Next: ZoneAlarm Anti-Spyware Free for Today


Nice Article Brian, Keep them coming!

John D. Jarvis

Posted by: Anonymous | November 14, 2007 8:21 AM | Report abuse

Will AVG Anti Rootkit Free find the Storm worm on a 'puter?

Posted by: Emilie | November 14, 2007 9:55 AM | Report abuse

This seems counter productive - doesn't having this happen alert all the infected users - if they are paying attention - that they are infected?

Posted by: kdt | November 15, 2007 10:09 AM | Report abuse

they issued a press release this afternoon where they stated:

The Company has also been made aware of emails being sent out that are promotional in nature. Hemisphere Gold Inc. emphatically states that it has not sanctioned the emails nor does it have any information on their source.

Any person who has received such an email is cautioned to get professional investment advice before purchasing shares in the Company, and to read all of the available information that has been provided by the Company.

Hemisphere Gold Provides Shareholder Update on Corporate Affairs

Company committed to key principals and fundamentals through ethical stewardship

Reno, NV - November 15, 2007 - Hemisphere Gold Inc. (HPGI.PK), a gold exploration, property acquisition and mining development company, is pleased to provide a shareholder update and details on its corporate operations.

The Company is committed to providing information to its shareholders, and in recent months has posted information at

These filings include:

• Legal Opinions
• Financial Statements
• Company Information and Disclosure Statements
• Bylaws and incorporation documents

The Company is also now working on its latest financial statements, and expects them to be posted on in the very near future. These statements are being produced by the management team, including the Company's CFO Riaz Sumar, who is a Certified General Accountant.

The Company is also now in the process of establishing its Corporate Governance Policies and plans to have them available on within the next two weeks.

Finally, Hemisphere is adopting an Environmental Code of Ethics, whereby internal policies are being implemented and will be enforced to minimize the company's 'footprint' on the planet.

Ted Pomerleau, President of Hemisphere stated, "We decided early on to provide data to the public, and being transparent to our shareholders is a key pillar of our internal policies. We are committed to the highest possible standards of openness, honesty and accountability, and are bound by specific laws and regulations as set under the Securities Exchange Commission."

The Company has also been made aware of emails being sent out that are promotional in nature. Hemisphere Gold Inc. emphatically states that it has not sanctioned the emails nor does it have any information on their source.

Any person who has received such an email is cautioned to get professional investment advice before purchasing shares in the Company, and to read all of the available information that has been provided by the Company.

About the Company

Hemisphere Gold Inc. is in the business of exploration and acquisition of high-yielding untapped mineral producing properties in some of the world's best gold districts. The Company's flagship property is in Suriname, a democratic country which has had mining operations since the 1700s and is emerging as a major gold producer. Hemisphere is committed to maintaining environmental stewardship, occupational safety and corporate responsibility.
For more information, please visit

This press release may contain forward-looking statements which are pursuant to the safe harbour provisions of the Private Securities Litigation Reform Act of 1995. Investors are cautioned that actual results may differ materially and all forward-looking statements involve risks and uncertainties including, without limitation, risks associated with the Company's financial condition and prospects, risks associated with mining exploration, risks of governmental legislation and regulation, risks associated with dependence on third parties, risks relating to international operations, delays in testing and evaluation of products and risks associated with competition..
Hemisphere Gold Inc.
Investor Relations
Barry Reagh
Phone: (888) 548-8444

Posted by: Marlon | November 15, 2007 2:21 PM | Report abuse

Macs have this problem too!
Mac worm rumors swirl; Dai Zovi ships unofficial Mac OS X patch!
We at Microsoft will never ever gloat over other OS's having problems with hackers and their diabolical malicious code attacking the very fabric of their systems. I feel Apple's pain, the frustration, confusion, the sense of utter helplessness in the face of a rumored worldwide assault on their product. However, I emplore all Mac users to come try Vista and it's rock solid security! You will find the interface quite familiar. Best of all you will get to deal with our tech support and WGA program. We patch every Tuesday, constantly monitor you, restart your system, make sure everything is licensed, .... security assured!
Don't take the risk of running a system with rumored virri, worms, hacks and bugs. We identify ours and patch on Tuesday.

Posted by: Steve Ballmer | November 18, 2007 2:14 AM | Report abuse

Macs are NOT secure!
last quarter there were 8,342 Windows exploits, that's down by 22%! But there were 9 Mac exploits, that's up by 33%!

Posted by: steve ballmer | November 19, 2007 8:12 AM | Report abuse

Counterproductive yes...but the "storm masters" are so cocky now, they know even if they utilize the "pop-up" method on infected PC's, 75% of users will never know what it is, or have any action taken.

When will Microsoft find a way to rid this worm? Is it not a priority for them? I have not heard / read anything that they are working on fixing the issue once and for all.

It could be a simple as enabling IPSEC on the infected machines to disable network access to the worm.

Posted by: Bill Third | November 20, 2007 12:50 PM | Report abuse

@steve baller: thanks for that factoid, O Fat One! Uh - isn't 200,000 Storm zombies a bit conservative?

Posted by: Rick | November 26, 2007 12:30 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company