I wish I could have some humorous comment or a joke to mark the day. Unfortunately I have something more serious to write about.
Symantec Security Response has detected a new worm in the wild: W32.Fubalca.It infects executables and HTML-type files, inserting links tomalicious Animated Cursor files, and exploits the currently unpatchedMicrosoft Windows Cursor And Icon ANI Format Handling Remote BufferOverflow Vulnerability (BID 23194) to download further copies of the worm.
The worm infects executables on all drives (including removabledrives), except for the drive that Windows is installed upon (e.g.C:\). As well as exploiting the vulnerability, the worm appears tospread through removable drives and already-mapped network shares.
Since I posted my blog last Friday, the Trojan.Peacomm threat has (not surprisingly) evolved. The attachments have new filenames, some dropped files have changed, and the subject lines of the spam email are also changing. Please have a look at the full details in our updated write-up here.
The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change:
Figure 1. IPs originating activity - UDP port 7871
Symantec Security Response has seen some moderate spamming of a new Trojan horse. The threat arrived in an email with an empty body and a variety of subjects such as:
A killer at 11, he's free at 21 and kill again! U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel British Muslims Genocide Naked teens attack home director. 230 dead as storm batters Europe. Re: Your text
The attachments may have any of the following filenames: FullVideo.exe Full Story.exe Video.exe Read More.exe FullClip.exe
The attachment is not a video clip, but a Trojan horse program, which Symantec heuristic technology...
