Trojan.Peacomm aka Storm Trojan Posted by Nortons.com Security Team This threat started in 2007 but has circulated and morphed since then. These type of attackes, with email messages and pop-ups, are useful ways to spread threats since the user usually installs the product willingly by clicking on the bait. The specific characteristics of the attack have continued to evolve over time and as the attackers continue attempting to compromise large numbers of unprotected systems. These types of threats arrive as an attachment to an email purporting to contain a security patch or some other similar important message. The email appears to warn the user about a malicious threat and implies that the file attachment will protect the user from this threat. However, the attachment itself is a malicious threat.

Given the changing nature of Trojan.Peacomm it is likely that subject lines or attachment names may differ from the list provided above. Users are encouraged to not open emails such as these.

We strongly urge users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as “social engineering”. This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users.

The attachment is a password-protected ZIP file. It contains a trojan horse that will install itself on the system as a system driver and then will download other malicious programs from various computers on the Internet.

The file contained within the Trojan.Peacomm ZIP file will be detected as Trojan.Packed.13. If the user executes this file it will create another file that will be detected as Trojan.Peacomm.

When a machine is infected, it hands over control to a botnet, a group of computers that the virus spreaders use to attack other computers. Most botnets are controlled through a central server, which is taken down in a matter of days, but Storm Trojan virus uses a p2p network, where each controlled machine talks to a few dozen others.

Storm Worm also installs a rootkit that attempts to hide the worm, but luckily it is slightly flawed and antivirus software will detect it without much trouble.

Protect Yourself

All previous variants of Trojan.Peacomm AKA Storm Trojan are already detected and removed with existing virus definition signatures. You need to be sure your antivirus program has the latest virus definitions. If your computer updates automaticlly you are probably up to date but to be sure you can force a manual update. See the help files in your antivirus to find out how to do a manual update.

To reduce the possibility of being affected by Trojan.Peacomm, Symantec Security Response advises users to do the following:

1. Keep antivirus and IPS detection signatures updated.
2. Never click on attachments or web links from unsolicited emails.
3. Regularly apply security patches and updates to all major software installed on the computer.
4. Use a security solution that contains antivirus and client firewall technologies to protect against today’s known and tomorrow’s unknown threats.
5. Organizations should install and maintain a perimeter firewall to protect the entire internal network. Be sure to use permit by exception rules on the firewall.
6. Organizations should check all external systems for security compliancy before permitting any connectivity to an internal network.

Update your antivirus or Internet Security program:

If you own Norton AntiVirus, Norton Internet Security, Symantec Client Security or Symantec AntiVirus, Live Update will automatically install the latest virus definitions and intrusion prevention security updates. Update Norton Virus Definitions or purchase Nortons.

Other Antivirus programs have similar automatic update features. Visit the AntiVirus Depot to go to all other antivirus software home pages and get further help.

Below is the first notice from January 2007 when Storm Trojan first appeared. The the risk still exsists and has evolved as we described above.

The first signs of "Storm Trojan" were seen January 17, 2007. Symantec Security Response has seen a large increase in the number of infections of this Trojan as well as new versions that have additional capabilities. The Trojan horse arrives as an attachment to an email claiming to contain a video of one of several different recent news stories. The email itself will have no message body, but will have one of the following subject lines:

• A killer at 11, he's free at 21 and kill again!
• U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
• British Muslims Genocide
• Naked teens attack home director.
• 230 dead as storm batters Europe.
• Re: Your text
• Radical Muslim drinking enemies's blood.
• Chinese missile shot down Russian satellite
• Chinese missile shot down Russian aircraft
• Chinese missile shot down USA aircraft
• Chinese missile shot down USA satellite
• Russian missile shot down USA aircraft
• Russian missile shot down USA satellite
• Russian missile shot down Chinese aircraft
• Russian missile shot down Chinese satellite
• Saddam Hussein safe and sound!
• Saddam Hussein alive!
• Venezuelan leader: "Let's the War beginning".
• Fidel Castro dead.

Symantec also strongly urges users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as "social engineering". This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users. The usage of recent news events as part of the email is especially common among these techniques.

The file attachment will be one of the following:

• FullVideo.exe
• Full Story.exe
• Video.exe
• Read More.exe
• FullClip.exe
• GreetingPostcard.exe
• MoreHere.exe
• FlashPostcard.exe
• GreetingCard.exe
• ClickHere.exe
• ReadMore.exe
• FlashPostcard.exe
• FullNews.exe

Given the changing nature of this threat it is likely that additional subject lines or attachment names may appear. Users are encouraged to not open emails such as these.

The attachment is actually a trojan horse that will install itself on the computer as a system driver and then will download other malicious programs from various computers on the Internet. The attachment and the trojan horse it contains will be detected.

Once installed and running, this Trojan attempts to establish communication with other infected systems on the Internet. This network is used as the distribution source from which the other malicious programs are downloaded.

New versions of this threat have been discovered that use "rootkit techniques" that attempt to hide the presence of this threat. Symantec Security Response will be releasing updated virus detection signatures later in the day on January 22 (Pacific time zone) that will detect and remove the rootkit capable variants of this threat. All previous variants of this threat are already detected and removed with existing virus definition signatures.