Topic: Spam Attack: Zipped Trojan

[Amker]

Spam Attack: Zipped Trojan

Security Response has seen a large spam run of what appears to be the latest in the line of Trojan.Peacomm variants. While this is nothing new, this time around the attachments are in the form of password-protected zip files. The recipient is tricked into unzipping the attachment with the included password, then running the unzipped file, to counteract activity related to an unknown worm (with which the recipient has undoubtedly been infected).

We've seen samples arrive in email messages with subjects including, but not limited to, "ATTN!", "Spyware Alert!", "Spyware Detected!", "Trojan Alert!", "Trojan Detected!", "Virus Activity Detected!", "Virus Alert!", "Virus Detected!", "Warning!", and "Worm Activity Detected!". The attachments are generally a .gif image file (this image contains the zip password) and the executable in the form of patch-[random four digits].zip.

The executable contained within the zip file is detected by Symantec antivirus software as Trojan.Packed.13, and is actually nothing new. It is simply a minor variant of Trojan.Peacomm that has been repacked in an attempt to avoid existing detection. If executed, this sample drops a file named wincom32.sys, which is also already detected, this time as Trojan.Peacomm.

In response to the mass spamming of unsolicited password-protected zip files, Symantec Security Response will be releasing a Trojan.Peacomm!zip detection. This detection is scheduled for release in definitions dated April 12, 2007. While Symantec customers are already protected from this threat with current definitions, it is recommended that users obtain the latest LiveUpdate definitions once they become available.