Over the weekend Security Response receivedsamples of the latest variants of Trojan.Peacomm and W32.Mixor doingthe rounds. The social engineering trick employed this time is inappealing to people's sense of fear as well as natural curiosity of apossible Middle East war involving the United States, Iran and Israel.
Subjects include "USA Just Have Started World War III" / "MissleStrike: The USA kills more then 20000 Iranian citizens" / "Israel JustHave Started World War III" / "USA Missile Strike: Iran War just havestarted". From the sample emails that we have seen to date, the actualemail body is blank, and the attached files have various names such as"video.exe", "movie.exe", "click here.exe", "clickme.exe", "readme.exe"and "read more.exe".
Proactively detected by Symantec antivirus software asTrojan.Packed.13, the underlying threats are actually nothing new. Theyare simply minor variants of Trojan.Peacomm and W32.Mixor (namedW32.Mixor.AR@mm in this instance) which have been repacked in anattempt to avoid existing detection, and appear to have been largelysuccessful at that attempt. The only differences betweenW32.Mixor.AR@mm and previous versions apart from the obvious emailsubjects are the filenames and registry values. A writeuphas been posted containing this information. Continuing along the linesof the previous variant, Trojan.Peacomm employs rootkit technology, asdescribed in a blog entry posted back in January.
Even though Symantec customers were protected from this without theneed to update definitions, there is never a good time to let yourguard down, even during a festive season when goodwill to others shouldsurely be the overriding theme. The more shocking or unbelievable thesubject of emails such as these, the more the contents should betreated with the suspicion they usually deserve. Hopefully the Easterbunny delivered something a little more pleasant to the majority thanthis tedious offering.