Symantec Security Response has seen an increasing number ofsubmissions of Trojan.Peacomm and related malware arriving in emailscontaining password-protected RAR archives.
As with the previous Peacomm spam run, the email contains an image(a GIF file) and an attachment. The image contains a message about apatch that can be used to "remove worm files" and the password for thefile attached. However, in this case, the attachment is a RAR archive.
The files inside the RAR archive are detected as Trojan.Packed.13.This detection for Trojan.Packed.13 was available in definitions datedMarch 22, 2007. The Trojan.Packed.13 sample drops another maliciousfile, which is also already detected by March 22 definitions, this timeas W32.Mixor.Q@mm.
These are some of the email Subject lines being used by this wave of spam:
Trojan Alert!
Virus Alert!
Virus Detected!
Virus Alert!
Warning!
Spyware Alert!
Worm Detected!
Some sample Attachment Filenames seen are as follows (where xxxxx represents a 5 digit random number):
bugfix-xxxxx.rar
removal-xxxxx.rar
patch-xxxxx.rar
hotfix-xxxxx.rar
Security Response has also noticed a slight increase of activity inTCP port 2525, which may be related to the spamming of the threat, asport 2525 is used as an alternative SMTP port in some servers.
Update
Symantec Security Response has received several queries regardinghow to best limit the impact of the latest run of Trojan.Peacomm spam.As with any e-mail-based malware, it's best to handle tackle it at thegateway by using email filters to block the mail, for example bysubject line or attachment name. Also, Symantec's Brightmail-enabledmessaging products now have a rule to block this latest spam run. Sincethe rule was added yesterday it has successfully blocked over 1.2million messages!
We looked into the possibility of creating a reliable detection for theencrypted RAR archives. The only possible way to detect these files isto create a signature using the file header. With RAR archives usingfull encryption with AES, the header is only 14 bytes in size. Allother information such as filename and other attributes are encrypted.While it is technically feasible to create a detection based on thefile header and the approximate size of the file, there is a high riskof false positive detections, as clean RAR files of approximately thesame size would also be detected. Taking the risk of false positivesinto consideration, and based on the fact that there are other moreeffective means to block this malware, we have made the decision not torelease this detection