Trojan.Peacomm

Trojan.Peacomm is a Trojan horse that drops a driver program file to download another program. It is reportedly attached to spammed email. It may also be dropped by W32.Mixor.Q@mm.

Trojan.Peacomm may be dropped by W32.Mixor.Q@mm. It may also arrive as an attachment to a spammed email.

Currently, the characteristics of the email subject and attachment may include any of the following combinations from a growing list of possibilities:

Subject:
One of the following:

• 230 dead as storm batters Europe.
• A killer at 11, he's free at 21 and kill again!
• British Muslims Genocide
• Chinese missile shot down Russian aircraft
• Chinese missile shot down Russian satellite
• Chinese missile shot down USA aircraft
• Chinese missile shot down USA satellite
• Did you open your ecard yet
• Fidel Castro dead.
• Naked teens attack home director.
• New 2008 Year Ecard
• New 2008 Year Greeting Card
• New 2008 Year Postcard
• New Year 2008 Ecard
• New Year 2008 Greeting Card
• New Year 2008 Postcard
• New Year Postcard
• New Year Postcard
• Please open your ecard.
• Radical Muslim drinking enemies's blood.
• Re: Your text
• Russian missile shot down Chinese aircraft
• Russian missile shot down Chinese satellite
• Russian missile shot down USA aircraft
• Russian missile shot down USA satellite
• Saddam Hussein alive!
• Saddam Hussein safe and sound!
• Someone is thinking of you! Open your ecard!
• Someone just sent you a greeting!
• Someone Just sent you an ecard!
• This ecard is hillarious!
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• Venezuelan leader: "Let's the War beginning".
• We have a ecard greeting for you.
• We have a ecard surprise!
• We have a ecard surprise!
• You have just received an ecard.
• You have one new ecard waiting!
• Your ecard greeting is available.
• Your ecard joke is waiting
• Your ecard joke is waiting!

Attachment:
One of the following:

• ClickHere.exe
• e-card.exe
• familypostcards2008.com
• FlashPostcard.exe
• FlashPostcard.exe
• Full Story.exe
• FullClip.exe
• FullNews.exe
• FullVideo.exe
• GreetingCard.exe
• GreetingPostcard.exe
• happycards2008.com
• merrychristmasdude.com
• MoreHere.exe
• newyearcards2008.com
• newyearwithlove.com
• postcard.exe
• Read More.exe
• ReadMore.exe
• uhavepostcard.com
• Video.exe

Note: Due to a substantial increase in activity, Symantec Security Response raised this threat to category 3 on January 22, 2007.

The Peacomm family of Trojans is also commonly known as the "Storm" Trojan.

Further reading:
To find out more about this threat, please read the following Symantec Security Response blog entries:

• Trojan.Peacomm: Building a Peer-to-Peer Botnet
• TP13 forever
• New Storm Front Moving In
• The new Peacomm infection techniques

Protection

• Initial Rapid Release version January 19, 2007
• Latest Rapid Release version July 4, 2009 revision 021
• Initial Daily Certified version January 19, 2007
• Latest Daily Certified version July 4, 2009 revision 020
• Initial Weekly Certified release date January 22, 2007

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: High
• Number of Infections: 1000+
• Number of Sites: 10+
• Geographical Distribution: Medium
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: High
• Payload: Downloads additional security threats.
• Degrades Performance: Sent UDP packets may degrade performance.

Distribution

• Distribution Level: Low
• Ports: UDP ports 4000, 7871 and 11271