*** As of January 22 Symantec Security Response has increased the threat level of "Storm Trojan" from level 1 (low) to level 3 (moderate) ***
In order to help users better understand the relatively recent trojan horse named Trojan.Peacomm, Symantec Security Response is providing a summary of the issues as well as additional information that may be useful in helping users diminish the threat.
The first signs of "Storm Trojan" were seen January 17, 2007. Symantec Security Response has seen a large increase in the number of infections of this Trojan as well as new versions that have additional capabilities. The Trojan horse arrives as an attachment to an email claiming to contain a video of one of several different recent news stories. The email itself will have no message body, but will have one of the following subject lines:
- A killer at 11, he's free at 21 and kill again!
- U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
- British Muslims Genocide
- Naked teens attack home director.
- 230 dead as storm batters Europe.
- Re: Your text
- Radical Muslim drinking enemies's blood.
- Chinese missile shot down Russian satellite
- Chinese missile shot down Russian aircraft
- Chinese missile shot down USA aircraft
- Chinese missile shot down USA satellite
- Russian missile shot down USA aircraft
- Russian missile shot down USA satellite
- Russian missile shot down Chinese aircraft
- Russian missile shot down Chinese satellite
- Saddam Hussein safe and sound!
- Saddam Hussein alive!
- Venezuelan leader: "Let's the War beginning".
- Fidel Castro dead.
Symantec also strongly urges users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as "social engineering". This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users. The usage of recent news events as part of the email is especially common among these techniques.
The file attachment will be one of the following:
- FullVideo.exe
- Full Story.exe
- Video.exe
- Read More.exe
- FullClip.exe
- GreetingPostcard.exe
- MoreHere.exe
- FlashPostcard.exe
- GreetingCard.exe
- ClickHere.exe
- ReadMore.exe
- FlashPostcard.exe
- FullNews.exe
Given the changing nature of this threat it is likely that additional subject lines or attachment names may appear. Users are encouraged to not open emails such as these.
The attachment is actually a trojan horse that will install itself on the computer as a system driver and then will download other malicious programs from various computers on the Internet. The attachment and the trojan horse it contains will be detected.
Once installed and running, this Trojan attempts to establish communication with other infected systems on the Internet. This network is used as the distribution source from which the other malicious programs are downloaded.
New versions of this threat have been discovered that use "rootkit techniques" that attempt to hide the presence of this threat. Symantec Security Response will be releasing updated virus detection signatures later in the day on January 22 (Pacific time zone) that will detect and remove the rootkit capable variants of this threat. All previous variants of this threat are already detected and removed with existing virus definition signatures.
More detailed information on this threat can be found on the Symantec Security Response Blog.
At this point in time, Symantec Security Response has increased the threat rating of Trojan.Peacomm to medium, carrying a current rating of risk level 3 (out of a possible 5). |