We have come across a system infected with W32.Downadup.C that has provided some interesting information. We discovered some similarly named files, 484528750.exe and 484471375.exe, which had shown up in the \Windows\temp folder within one minute of each other. These files turned out to be W32.Waledac and a modified W32.Downadup variant, respectively.
The W32.Downadup variant has some minor differences in functionality, but the presence of the W32.Waledac sample begs the question, "Is Downadup spreading Waledac?" The information we currently have may only be circumstantial, but is certainly worth investigating. We’ll continue to monitor this in an effort to gather more data and determine if this type of dual infection is indeed a trend.
A recent reportindicates there is a newer, more sinister botnet that is setting itselfup to surpass the Storm worm. The botnet, called MayDay, is thought tobe more elusive and have a greater capacity for causing damage thanit's Storm worm counterpart. Symantec Security Response has come acrossa sample and has released a new detection named Trojan.Daymayto identify this malware. Computers protected by Symantec antivirusproducts were previously protected as the sample was detected asW32.Mytob.AA@mm.
Symantec has seen limited activity with respect to distribution ofthe sample, which is believed to have originally been spammed out bythe author(s). At the time of writing, the Trojan is serving up creditscore related spam. It is yet to be seen how successful the Trojan...
Symantec Security Response has seen an increasing number ofsubmissions of Trojan.Peacomm and related malware arriving in emailscontaining password-protected RAR archives.
As with the previous Peacomm spam run, the email contains an image(a GIF file) and an attachment. The image contains a message about apatch that can be used to "remove worm files" and the password for thefile attached. However, in this case, the attachment is a RAR archive.
The files inside the RAR archive are detected as Trojan.Packed.13.This detection for Trojan.Packed.13 was available in definitions datedMarch 22, 2007. The Trojan.Packed.13 sample drops another maliciousfile, which is also already detected by March 22 definitions, this timeas W32.Mixor.Q@mm.
These are some of the email Subject lines being used by this wave of spam: Trojan Alert! Virus Alert! Virus Detected! Virus Alert! Warning! Spyware Alert! Worm Detected!
