We have come across a system infected with W32.Downadup.C that has provided some interesting information. We discovered some similarly named files, 484528750.exe and 484471375.exe, which had shown up in the \Windows\temp folder within one minute of each other. These files turned out to be W32.Waledac and a modified W32.Downadup variant, respectively.
The W32.Downadup variant has some minor differences in functionality, but the presence of the W32.Waledac sample begs the question, "Is Downadup spreading Waledac?" The information we currently have may only be circumstantial, but is certainly worth investigating. We’ll continue to monitor this in an effort to gather more data and determine if this type of dual infection is indeed a trend.
A recent reportindicates there is a newer, more sinister botnet that is setting itselfup to surpass the Storm worm. The botnet, called MayDay, is thought tobe more elusive and have a greater capacity for causing damage thanit's Storm worm counterpart. Symantec Security Response has come acrossa sample and has released a new detection named Trojan.Daymayto identify this malware. Computers protected by Symantec antivirusproducts were previously protected as the sample was detected asW32.Mytob.AA@mm.
Symantec has seen limited activity with respect to distribution ofthe sample, which is believed to have originally been spammed out bythe author(s). At the time of writing, the Trojan is serving up creditscore related spam. It is yet to be seen how successful the Trojan...
On November 29 the FBI announced the results of its second Bot Roast (see the FBI release).This is the FBI operation responsible for hunting out and attempting tobring to justice cyber criminals involved in cultivating botnets. Thesebotnets, which can call home to millions of computers, are responsiblefor millions of dollars in financial losses at both a corporate andconsumer level. The FBI operation has resulted in the successfulcapture, indictment, and/or sentencing of multiple criminals. In thelong run it may be only a small slice of the world of botnets, but makeno mistake, any gains in fighting this epidemic are well received. TheFBI and those involved should be commended.
Of course, what's a blog entry without the standard "practice safecomputing" comment: Insure your system is patched and protected as bestas possible through the use of a security package. Anything we...
Symantec has observed active exploitationof a potential 0-day vulnerability in Xunlei Web Thunder. Thisvulnerability has been assigned BID 25192. This vulnerability is closely related to a previously discovered Xunlei vulnerability identified as BID 24552. Exploitation of this new vulnerability may result in arbitrary download of malicious files onto the compromised computer.
Symantec has observed an instance in which a copy of W32.Bratsters was downloaded. In addition to this malware detection, the IPS signature HTTP XunLei WebThunder ActiveX Download also detects the attempted exploitation.
Symantec Security Response has seen an increasing number ofsubmissions of Trojan.Peacomm and related malware arriving in emailscontaining password-protected RAR archives.
As with the previous Peacomm spam run, the email contains an image(a GIF file) and an attachment. The image contains a message about apatch that can be used to "remove worm files" and the password for thefile attached. However, in this case, the attachment is a RAR archive.
The files inside the RAR archive are detected as Trojan.Packed.13.This detection for Trojan.Packed.13 was available in definitions datedMarch 22, 2007. The Trojan.Packed.13 sample drops another maliciousfile, which is also already detected by March 22 definitions, this timeas W32.Mixor.Q@mm.
These are some of the email Subject lines being used by this wave of spam: Trojan Alert! Virus Alert! Virus Detected! Virus Alert! Warning! Spyware Alert! Worm Detected!
