Storm Trojan aka Trojan.Peacomm

Posted by Nortons.com Security Team

Trojan Horse Warning - This warning is in effect until further notice.

A wave of fake email invitations sent in hopes of luring people to unzip a file to find out who invited them has been hitting unsuspecting victims.

The message carries a mass-mailing worm. It looks around on infected computers and sends emails to addresses it finds. The message appears as if it came from a Twitter account, but unlike a legitimate Twitter message, there is no invitation URL in the body of the email. Instead, the user sees an attachment that appears as a .zip file containing an invitation card. When the zip file is opened, the virus spreads.

The header on the email invitation reads :
From: invitations@twitter.com
Subject: Your friend invited you to twitter!

The infected machines transmit a signal to a Web site, providing the opportunity for the "bad guys" to download misleading applications known as rogueware, or scareware.

"It alerts the computer owner that it has found malware on the machine, but if you pay me $49.95 to download the software I'll get rid of it for you," says Kevin Haley, director, Symantec Security Response, Cupertino, Calif. "A lot of bad guys are making millions of dollars. Some of these guys are doing that in a year, possibly more than that."

There have been a rash of attacks using Twitter as the bait, as the site continues to grow in popularity. Earlier this month, users were invited to click on something that resembled a link to a YouTube video. The program embedded in the link opened a second site that prompted a malware-infected PDF to download and later installed a rogue security application.

In May 2009, Symantec observed overall spam levels climb to nearly 90% of all email, consistent with levels seen in the year-ago month. Symantec expects that spammers will continue to use Twitter and other popular social networks as bait in their attacks.

Symantec Security is monitoring a massive surge of email spam containing the threat. This spam surge is one of the largest surges in the last several months.

This trojan horse email appears to warn the user about a malicious threat and implies that the file attachment is a security patch that will protect the user from this threat. However, the attachment itself is a malicious threat.

The magnitude of this surge means it will probably go on for months. You can read more about it and other Internet Security in easy to understand language and participate in our forums at AntiVirus Advice .com

December 2008
YouTube trojan spam email:
Earlier this month, users were invited to click on something that resembled a link to a Youube video.

The program embedded in the link opened a second site that prompted a malware-infected PDF to download and later installed a rogue security application.


An aggressive and damaging virus is currently spreading the Internet in the form of infected YouTube videos. These videos cause the user’s web browser to download dangerous malware (malicious software) called “Antivirus 2009.”

What You Should Do:

1. Avoid using sites with embeded YouTube videos. Avoid any videos that are not checked by an up to date antivirus system on your computer such as Norton Internet Security.

2. Close any pop-ups referencing “Antivirus 2009” or any other pop up indicating you need to "click on it". Norton does not do such pop-ups so you can disregard all of them. If you click on fradulent pop ups you can damage and wipe out your entire system.

3. Be on the lookout for pop-ups from your browser or other indications that malware is trying to download to your PC.

4. As always, please use judgment and exercise caution when using the Internet. This is not advertising, it is simply a warning. You must have good Internet Security and Antivirus software installed to be saf on the Internet.

THAT IS THE CURRENT TROJAN THREAT.

****************************************

More about Storm Trojan Viruses....

This threat started in 2007 but has repeatedly circulated and morphed since then. It is still active in 2008. These type of attacks, with email messages and pop-ups, are useful ways to spread threats since the user usually installs the product willingly by clicking on the bait.

The specific characteristics of the attack have continued to evolve over time and as the attackers continue attempting to compromise large numbers of unprotected systems.

These types of threats arrive as an attachment to an email purporting to contain a security patch or some other similar important message. The email appears to warn the user about a malicious threat and implies that the file attachment will protect the user from this threat. However, the attachment itself is a malicious threat.

If you would like to learn more about Internet threats such as viruses, bots, and identity theft in easy to understand language at Anti Virus Advice .com. To read more about Storm Trojan read on down this page.

Norton StoreNorton Antivirus

Visit Nortons.com for all Norton Security Products.

Norton products are completely up to date on all Internet threats and the software is fast and un intrusive allowing you to work on your computer without worry.

Norton can remove these threats and has a 15 day free trial.
Go to My Norton Store and get Norton Antivirus or Norton Internet Security

 

Other brands beside Norton are at
Storm Trojan Repair

Other names for Storm Trojan:

The infected email may have one of the following subject lines:

  • Worm Detected!
  • [UNABLE TO SCAN] Worm Detected!
  • [WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] Virus Alert!
  • [WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] Worm
  • [ATTENTION - NON TRAIT? PAR ANTIVIRUS — WARNING - NOT VIRUS SCANNED]%s
  • Virus Detected!ected!
  • Virus Activity Detected!
  • ATTN!
  • Spyware Alert!
  • Spyware Detected!
  • Warning!
  • Trojan Alert!
  • Trojan Detected!
  • Worm Activity Detected!
  • Virus Alert!

The sender name may be one of the following:

  • Abuse Team
  • Customer Support Center
  • Customer Support Center Robot
  • Customer Support
  • Customer Support Robot

 

There are many more versions of email subjects and senders since the first appearance of this threat.

Given the changing nature of Trojan.Peacomm it is likely that subject lines or attachment names may differ from the list provided above. Users are encouraged to not open emails such as these.

We strongly urge users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as “social engineering”. This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users.

The attachment is a password-protected ZIP file. It contains a trojan horse that will install itself on the system as a system driver and then will download other malicious programs from various computers on the Internet.

The file contained within the Trojan.Peacomm ZIP file will be detected as Trojan.Packed.13. If the user executes this file it will create another file that will be detected as Trojan.Peacomm.

When a machine is infected, it hands over control to a botnet, a group of computers that the virus spreaders use to attack other computers. Most botnets are controlled through a central server, which is taken down in a matter of days, but Storm Trojan virus uses a p2p network, where each controlled machine talks to a few dozen others.

Storm Worm also installs a rootkit that attempts to hide the worm, but luckily it is slightly flawed and antivirus software will detect it without much trouble.

Protect Yourself

All previous variants of Trojan.Peacomm AKA Storm Trojan are already detected and removed with existing virus definition signatures. You need to be sure your antivirus program has the latest virus definitions. If your computer updates automatically you are probably up to date but to be sure you can force a manual update. See the help files in your antivirus to find out how to do a manual update.

To reduce the possibility of being affected by Trojan.Peacomm, Symantec Security Response advises users to do the following:

  1. Keep antivirus and IPS detection signatures updated.
  2. Never click on attachments or web links from unsolicited emails.
  3. Regularly apply security patches and updates to all major software installed on the computer.
  4. Use a security solution that contains antivirus and client firewall technologies to protect against today’s known and tomorrow’s unknown threats.
  5. Organizations should install and maintain a perimeter firewall to protect the entire internal network. Be sure to use permit by exception rules on the firewall.
  6. Organizations should check all external systems for security compliancy before permitting any connectivity to an internal network.

Update your antivirus or Internet Security program:

If you own Norton AntiVirus, Norton Internet Security, Symantec Client Security or Symantec AntiVirus, Live Update will automatically install the latest virus definitions and intrusion prevention security updates. Update Norton Virus Definitions or purchase Nortons.

Other Antivirus programs have similar automatic update features. Visit the AntiVirus Depot to go to all other antivirus software home pages and get further help.

Symantec Norton Products

Update Norton Virus Definitions
or purchase Nortons

Symantec

Other Antivirus Products

Find links to their web sites at the
AntiVirus Depot

AntiVirusDepot.com

Below is the first notice from January 2007 when Storm Trojan first appeared. The the risk still exists and has evolved as we described above.

The first signs of "Storm Trojan" were seen January 17, 2007. Symantec Security Response has seen a large increase in the number of infections of this Trojan as well as new versions that have additional capabilities. The Trojan horse arrives as an attachment to an email claiming to contain a video of one of several different recent news stories. The email itself will have no message body, but will have one of the following subject lines:

  • A killer at 11, he's free at 21 and kill again!
  • U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  • British Muslims Genocide
  • Naked teens attack home director.
  • 230 dead as storm batters Europe.
  • Re: Your text
  • Radical Muslim drinking enemies's blood.
  • Chinese missile shot down Russian satellite
  • Chinese missile shot down Russian aircraft
  • Chinese missile shot down USA aircraft
  • Chinese missile shot down USA satellite
  • Russian missile shot down USA aircraft
  • Russian missile shot down USA satellite
  • Russian missile shot down Chinese aircraft
  • Russian missile shot down Chinese satellite
  • Saddam Hussein safe and sound!
  • Saddam Hussein alive!
  • Venezuelan leader: "Let's the War beginning".
  • Fidel Castro dead.

Symantec also strongly urges users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as "social engineering". This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users. The usage of recent news events as part of the email is especially common among these techniques.

The file attachment will be one of the following:

  • FullVideo.exe
  • Full Story.exe
  • Video.exe
  • Read More.exe
  • FullClip.exe
  • GreetingPostcard.exe
  • MoreHere.exe
  • FlashPostcard.exe
  • GreetingCard.exe
  • ClickHere.exe
  • ReadMore.exe
  • FlashPostcard.exe
  • FullNews.exe

Given the changing nature of this threat t is likely that additional subject lines or attachment names may appear. Users are encouraged to not open emails such as these.

The attachment is actually a trojan horse that will install itself on the computer as a system driver and then will download other malicious programs from various computers on the Internet. The attachment and the trojan horse it contains will be detected.

Once installed and running, this Trojan attempts to establish communication with other infected systems on the Internet. This network is used as the distribution source from which the other malicious programs are downloaded.

New versions of this threat have been discovered that use "rootkit techniques" that attempt to hide the presence of this threat. Symantec Security Response will be releasing updated virus detection signatures later in the day on January 22 (Pacific time zone) that will detect and remove the rootkit capable variants of this threat. All previous variants of this threat are already detected and removed with existing virus definition signatures.

Symantec Norton Products

Update Norton Virus Definitions
or purchase Nortons at
Symantec.

Symantec

Other Antivirus Products

Find links to their web sites at the
AntiVirus Depot

AntiVirusDepot.com

 

Privacy - Terms of Use
Web Site © Copyright 2007 StormTrojan.com. All rights reserved.