Trojan.Peacomm
aka Storm Trojan

Posted by Nortons.com Security Team

This threat started in 2007 but has circulated and morphed since then. These type of attackes, with email messages and pop-ups, are useful ways to spread threats since the user usually installs the product willingly by clicking on the bait.

The specific characteristics of the attack have continued to evolve over time and as the attackers continue attempting to compromise large numbers of unprotected systems.

These types of threats arrive as an attachment to an email purporting to contain a security patch or some other similar important message. The email appears to warn the user about a malicious threat and implies that the file attachment will protect the user from this threat. However, the attachment itself is a malicious threat.

Storm Trojan Repair
 

The infected email may have one of the following subject lines:

  • Worm Detected!
  • [UNABLE TO SCAN] Worm Detected!
  • [WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] Virus Alert!
  • [WARNING - ENCRYPTED ATTACHMENT NOT VIRUS SCANNED] Worm
  • [ATTENTION - NON TRAIT? PAR ANTIVIRUS — WARNING - NOT VIRUS SCANNED]%s
  • Virus Detected!ected!
  • Virus Activity Detected!
  • ATTN!
  • Spyware Alert!
  • Spyware Detected!
  • Warning!
  • Trojan Alert!
  • Trojan Detected!
  • Worm Activity Detected!
  • Virus Alert!

The sender name may be one of the following:

  • Abuse Team
  • Customer Support Center
  • Customer Support Center Robot
  • Customer Support
  • Customer Support Robot

 

There are many more versions of email subjects and senders since the first appearance of this threat.

Given the changing nature of Trojan.Peacomm it is likely that subject lines or attachment names may differ from the list provided above. Users are encouraged to not open emails such as these.

We strongly urge users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as “social engineering”. This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users.

The attachment is a password-protected ZIP file. It contains a trojan horse that will install itself on the system as a system driver and then will download other malicious programs from various computers on the Internet.

The file contained within the Trojan.Peacomm ZIP file will be detected as Trojan.Packed.13. If the user executes this file it will create another file that will be detected as Trojan.Peacomm.

When a machine is infected, it hands over control to a botnet, a group of computers that the virus spreaders use to attack other computers. Most botnets are controlled through a central server, which is taken down in a matter of days, but Storm Trojan virus uses a p2p network, where each controlled machine talks to a few dozen others.

Storm Worm also installs a rootkit that attempts to hide the worm, but luckily it is slightly flawed and antivirus software will detect it without much trouble.

Protect Yourself

All previous variants of Trojan.Peacomm AKA Storm Trojan are already detected and removed with existing virus definition signatures. You need to be sure your antivirus program has the latest virus definitions. If your computer updates automaticlly you are probably up to date but to be sure you can force a manual update. See the help files in your antivirus to find out how to do a manual update.

To reduce the possibility of being affected by Trojan.Peacomm, Symantec Security Response advises users to do the following:

  1. Keep antivirus and IPS detection signatures updated.
  2. Never click on attachments or web links from unsolicited emails.
  3. Regularly apply security patches and updates to all major software installed on the computer.
  4. Use a security solution that contains antivirus and client firewall technologies to protect against today’s known and tomorrow’s unknown threats.
  5. Organizations should install and maintain a perimeter firewall to protect the entire internal network. Be sure to use permit by exception rules on the firewall.
  6. Organizations should check all external systems for security compliancy before permitting any connectivity to an internal network.

Update your antivirus or Internet Security program:

If you own Norton AntiVirus, Norton Internet Security, Symantec Client Security or Symantec AntiVirus, Live Update will automatically install the latest virus definitions and intrusion prevention security updates. Update Norton Virus Definitions or purchase Nortons.

Other Antivirus programs have similar automatic update features. Visit the AntiVirus Depot to go to all other antivirus software home pages and get further help.

Symantec Norton Products

Update Norton Virus Definitions
or purchase Nortons

Symantec

Other Antivirus Products

Find links to their web sites at the
AntiVirus Depot

AntiVirusDepot.com

Below is the first notice from January 2007 when Storm Trojan first appeared. The the risk still exsists and has evolved as we described above.

The first signs of "Storm Trojan" were seen January 17, 2007. Symantec Security Response has seen a large increase in the number of infections of this Trojan as well as new versions that have additional capabilities. The Trojan horse arrives as an attachment to an email claiming to contain a video of one of several different recent news stories. The email itself will have no message body, but will have one of the following subject lines:

  • A killer at 11, he's free at 21 and kill again!
  • U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  • British Muslims Genocide
  • Naked teens attack home director.
  • 230 dead as storm batters Europe.
  • Re: Your text
  • Radical Muslim drinking enemies's blood.
  • Chinese missile shot down Russian satellite
  • Chinese missile shot down Russian aircraft
  • Chinese missile shot down USA aircraft
  • Chinese missile shot down USA satellite
  • Russian missile shot down USA aircraft
  • Russian missile shot down USA satellite
  • Russian missile shot down Chinese aircraft
  • Russian missile shot down Chinese satellite
  • Saddam Hussein safe and sound!
  • Saddam Hussein alive!
  • Venezuelan leader: "Let's the War beginning".
  • Fidel Castro dead.

Symantec also strongly urges users to be cautious of any unsolicited email that contains attachments that claim to be legitimate or interesting. The technique of using interesting subject lines or attachment names in emails in order to distribute malicious code is known as "social engineering". This technique has been used by threat writers for many years and, unfortunately, is often successful against unprotected users. The usage of recent news events as part of the email is especially common among these techniques.

The file attachment will be one of the following:

  • FullVideo.exe
  • Full Story.exe
  • Video.exe
  • Read More.exe
  • FullClip.exe
  • GreetingPostcard.exe
  • MoreHere.exe
  • FlashPostcard.exe
  • GreetingCard.exe
  • ClickHere.exe
  • ReadMore.exe
  • FlashPostcard.exe
  • FullNews.exe

Given the changing nature of this threat it is likely that additional subject lines or attachment names may appear. Users are encouraged to not open emails such as these.

The attachment is actually a trojan horse that will install itself on the computer as a system driver and then will download other malicious programs from various computers on the Internet. The attachment and the trojan horse it contains will be detected.

Once installed and running, this Trojan attempts to establish communication with other infected systems on the Internet. This network is used as the distribution source from which the other malicious programs are downloaded.

New versions of this threat have been discovered that use "rootkit techniques" that attempt to hide the presence of this threat. Symantec Security Response will be releasing updated virus detection signatures later in the day on January 22 (Pacific time zone) that will detect and remove the rootkit capable variants of this threat. All previous variants of this threat are already detected and removed with existing virus definition signatures.

Symantec Norton Products

Update Norton Virus Definitions
or purchase Nortons at
Symantec.

Symantec

Other Antivirus Products

Find links to their web sites at the
AntiVirus Depot

AntiVirusDepot.com

 

Privacy - Terms of Use
Web Site © Copyright 2007 StormTrojan.com. All rights reserved.