General Chat

Trojan

As of January 19, 2007, Symantec Security Response is advising users to be cautious of any unsolicited email which contains attachments that claim to be legitimate or interesting, due to a recent trojan horse named Trojan.Peacomm. The Trojan horse arrives as an attachment to an email purporting to contain a video of one of several different recent news stories. The attachment may be one of the following: FullVideo.exe, FullStory.exe, Video.exe, ReadMore.exe, FullClip.exe. The attachment is actually a trojan horse that will install itself on the system and download other malicious programs from various computers on the Internet. The attachment and the trojan horse it contains will be detected as Trojan.Peacomm. Other malicious programs that are commonly downloaded by this threat include Trojan.Abwiz.F and W32.Mixor.Q@mm. Once installed and running, this threat attempts to establish communication with other infected systems on the Internet via a custom peer-to-peer network. This network is used as the distribution source from which the other malicious programs are downloaded. Symantec Security Response has analyzed the threat and has provided protection for it via LiveUpdate and Intelligent Updater. The latest antivirus (AV) definitions will detect all known variants of the Trojan.Peacomm trojan horse.

Today Symantec Security Response raised the risk level of Trojan.Peacomm to a category 3 threat, due to the speed and volume in which it is being aggressively spammed across the Internet. The Trojan, which was first spotted January 17, 2007 has been raised to a higher category following a sustained increase in new versions of the attack which appeared over the weekend as the malware author responded to improvements in protection made by security companies by adjusting his tactics. Trojan.Peacomm is one of a number of spamming Trojan horse programs Symantec has seen lately that appear to originate from Russia and are clearly aimed at making money for the author by pumping up penny stocks. The victim is enticed through social engineering techniques to open an attachment, which typically appears to be a video clip on a recent, newsworthy event. The email itself will have no message body, but will have one of several subject lines such as 'A killer at 11, he's free at 21 and kill again!,' 'Fidel Castro Dead,' 'Re: Your Text.' For a complete list of subject lines, please click here. Symantec’s new technology, Symantec Online Network for Advanced Response (SONAR), which is included in Norton AntiVirus and Norton Internet Security, helped to detect an increase in activity around supporting files dropped by Trojan.Peacomm early last week, before the threat was seen in the wild. We will closely monitor further information related to this threat, and will provide updates and security content as necessary.

Discovered: January 19, 2007 Updated: January 22, 2007 04:04:42 PM GMT Also Known As: CME-711 [Common Malware Enumeration], TROJ_SMALL.EDW [Trend Micro], Small.DAM [F-Secure], Downloader-BAI [McAfee], Troj/Dorf-Fam [Sophos] Type: Trojan Horse Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP Trojan.Peacomm is a Trojan horse that drops a driver program file to download additional security threats. Trojan.Peacomm reportedly arrives as an attachment to a spammed email with the following characteristics: Subject: One of the following: A killer at 11, he's free at 21 and kill again! U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel British Muslims Genocide Naked teens attack home director. 230 dead as storm batters Europe. Re: Your text Radical Muslim drinking enemies's blood. Chinese missile shot down Russian satellite Chinese missile shot down Russian aircraft Chinese missile shot down USA aircraft Chinese missile shot down USA satellite Russian missile shot down USA aircraft Russian missile shot down USA satellite Russian missile shot down Chinese aircraft Russian missile shot down Chinese satellite Saddam Hussein safe and sound! Saddam Hussein alive! Venezuelan leader: 'Let's the War beginning'. Fidel Castro dead. Attachment: One of the following: FullVideo.exe Full Story.exe Video.exe Read More.exe FullClip.exe GreetingPostcard.exe MoreHere.exe FlashPostcard.exe GreetingCard.exe ClickHere.exe ReadMore.exe FlashPostcard.exe FullNews.exe Note: Due to a substantial increase in activity, Symantec Security Response raised this threat to category 3 on January 22, 2007. Further reading: Trojan.Peacomm: Building a Peer-to-Peer Botnet ProtectionVirus Definitions (LiveUpdate™ Daily) January 19, 2007 Virus Definitions (LiveUpdate™ Weekly) January 22, 2007 Virus Definitions (Intelligent Updater) January 19, 2007 Virus Definitions (LiveUpdate™ Plus) January 19, 2007 Threat AssessmentWildWild Level: High Number of Infections: More than 1000 Number of Sites: More than 10 Geographical Distribution: Medium Threat Containment: Easy Removal: Moderate DamageDamage Level: High Payload: Downloads additional security threats. Degrades Performance: Sent UDP packets may degrade performance. DistributionDistribution Level: Low Ports: UDP port 4000, UDP port 7871 Writeup By: Masaki Suenaga

i had that yesterday it was a nightmare to get rid of Rosex

thanks Bob. will be aware. Ann Glos