A new sophisticated spam attack has been identified leveraging Trojan.Peacomm or Storm Trojan and distributed via a password protected Zip file within spam messages.
According to Symantec, which detected this virus, a new twist to this attack is the social engineering tactic the attacker is using to infect people with the Trojan. The subject lines in the spam messages are alerting people of a fake virus detected, such as “Trojan Detected!” or “Virus Activity Detected”, to entice people to open the Zip file.
Social Engineering is a method of deceiving users into divulging private information, to take advantage of our natural tendency to trust one another rather than relying solely on technological means to steal information. It is often associated with phishing, pharming, spam, and other Internet-based scams.
“We've seen samples arrive in email messages with subjects including, but not limited to, "ATTN!", "Spyware Alert!", "Spyware Detected!", "Trojan Alert!", "Trojan Detected!", "Virus Activity Detected!", "Virus Alert!", "Virus Detected!", "Warning!", and "Worm Activity Detected!". The attachments are generally a .gif image file (this image contains the zip password) and the executable in the form of patch-[random 4 digits].zip’” read a statement on Symentec’s website.
The executable contained within the zip file was detected by Symantec antivirus software as Trojan.Packed.13, and is actually nothing new. It is simply a minor variant of Trojan.Peacomm which has been repacked in an attempt to avoid existing detection. If executed, this sample drops a file named wincom32.sys, which is also already detected, this time as Trojan.Peacomm.
In response to the mass spamming of unsolicited password protected zip files, Symantec Security Response released a Trojan.Peacomm!zip detection. This detection is was released in definitions on April 12. |
