Massive new surge of Storm Trojan email spam

**Kalim** · 04-14-2007, 12:03 PM

Symantec Security Response is currently monitoring a massive surge of email spam containing the threat Trojan.Peacomm (also known as the Storm Trojan). This spam surge is one of the largest identified surges in the last several months. This threat was originally discovered in January 2007 but has been repackaged in this particular spam surge. The specific characteristics of this attack have continued to evolve over time and this is simply the latest example of the attackers attempting to compromise large numbers of unprotected systems.
This trojan horse arrives as an attachment to an email purporting to contain a security patch. The email appears to warn the user about a malicious threat and implies that the file attachment is a security patch that will protect the user from this threat. However, the attachment itself is a malicious threat. The email may have one of the following subject lines:

Worm Detected!
[UNABLE TO SCAN] Worm Detected!
[WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] Virus Alert!
[WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] Worm Detected!
Worm Detected!
Undeliverable: Virus Det
[ATTENTION - NON TRAIT? PAR ANTIVIRUS -- WARNING - NOT VIRUS SCANNED]%s
Virus Detected!ected!
Virus Activity Detected!
ATTN!
Spyware Alert!
Spyware Detected!
Warning!
Trojan Alert!
Trojan Detected!
Worm Activity Detected!
Virus Alert!

The sender name may be one of the following:
Abuse Team
Customer Support Center
Customer Support Center Robot
Customer Support
Customer Support Robot

Given the changing nature of this threat it is likely that subject lines or attachment names may differ from the list provided above. Users are encouraged to not open emails including similar subjects.

The attachment is a password-protected ZIP file. It contains a trojan horse that will install itself on the system as a system driver and then will download other malicious programs from various computers on the Internet. The file contained within the ZIP file will be detected as Trojan.Packed.13. If the user executes this file it will create another file that will be detected as Trojan.Peacomm.

Symantec Security Response will be releasing updated virus detection signatures later in the day on April 12 (Pacific time zone) that will detect the password protected ZIP file attachment as Trojan.Peacomm!zip. All previous variants of this threat are already detected and removed with existing virus definition signatures.

Symantec also strongly urges users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as "social engineering". This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users.

Source

Just thought you all should know.

**Glaswegian** · 04-15-2007, 12:53 PM

I saw a mention of this the other day, but can't remember where. Thanks for the details Kalim.

04-14-2007, 12:03 PM	#1 (permalink)
Kalim Roaming To Help Join Date: Nov 2006 Posts: 5,642 OS: Many	Massive new surge of Storm Trojan email spam Symantec Security Response is currently monitoring a massive surge of email spam containing the threat Trojan.Peacomm (also known as the Storm Trojan). This spam surge is one of the largest identified surges in the last several months. This threat was originally discovered in January 2007 but has been repackaged in this particular spam surge. The specific characteristics of this attack have continued to evolve over time and this is simply the latest example of the attackers attempting to compromise large numbers of unprotected systems. This trojan horse arrives as an attachment to an email purporting to contain a security patch. The email appears to warn the user about a malicious threat and implies that the file attachment is a security patch that will protect the user from this threat. However, the attachment itself is a malicious threat. The email may have one of the following subject lines: Worm Detected! [UNABLE TO SCAN] Worm Detected! [WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] Virus Alert! [WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] Worm Detected! Worm Detected! Undeliverable: Virus Det [ATTENTION - NON TRAIT? PAR ANTIVIRUS -- WARNING - NOT VIRUS SCANNED]%s Virus Detected!ected! Virus Activity Detected! ATTN! Spyware Alert! Spyware Detected! Warning! Trojan Alert! Trojan Detected! Worm Activity Detected! Virus Alert! The sender name may be one of the following: Abuse Team Customer Support Center Customer Support Center Robot Customer Support Customer Support Robot Given the changing nature of this threat it is likely that subject lines or attachment names may differ from the list provided above. Users are encouraged to not open emails including similar subjects. The attachment is a password-protected ZIP file. It contains a trojan horse that will install itself on the system as a system driver and then will download other malicious programs from various computers on the Internet. The file contained within the ZIP file will be detected as Trojan.Packed.13. If the user executes this file it will create another file that will be detected as Trojan.Peacomm. Symantec Security Response will be releasing updated virus detection signatures later in the day on April 12 (Pacific time zone) that will detect the password protected ZIP file attachment as Trojan.Peacomm!zip. All previous variants of this threat are already detected and removed with existing virus definition signatures. Symantec also strongly urges users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as "social engineering". This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users. Source Just thought you all should know.

04-15-2007, 12:53 PM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,427 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Re: Massive new surge of Storm Trojan email spam I saw a mention of this the other day, but can't remember where. Thanks for the details Kalim. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner