FYI...

>> http://isc.sans.org/diary.html?storyid=2071
Last Updated: 2007-01-19 06:33:21 UTC
(Also: /t177522-MD5_a85d1a3e8ffcfd824f9ec05a7a1718c2_wincom32_sys.html )

> http://www.f-secure.com/weblog/archives/archive-012007.html#00001086
January 19, 2007 ~ "Small.DAM* being spammed... Here are the possible subjects headings:

230 dead as storm batters Europe.
A killer at 11, he's free at 21 and...
British Muslims Genocide
Naked teens attack home director.
U.S. Secretary of State Condoleezza...

The "Storm in Europe" title is particularly timely, as there really is a storm in Europe at the moment and dozens of people have died.

Attachments may be of the following filenames:

Full Clip.exe
Full Story.exe
Read More.exe
Video.exe ..."

* http://www.f-secure.com/v-descs/small_dam.shtml
"Small.DAM, a variant of Small, is a Trojan that arrives on the system as attachment file to spam emails. Small.DAM loads a malicious service named "wincom32" in the affected machine..."

This may have more than one source as I found the sample in the link above while unpatched/unprotected surfing cracks/warez/serials/keygen sites .

FWIW
The 3 that i have bagged have come in with CWS infections.

More...

European Storm Video E-Mail (Part 2)
- http://isc.sans.org/diary.html?storyid=2071
Last Updated: 2007-01-20 00:13:37 UTC
UPDATE:
"A new variant of this virus has surfaced over the last 3-4 hours. This variant is slightly smaller than the original.
MD5 checksums for the files are:
* cf6c72dfa5a05beb46f21a21cb6d3487 for the original version
* b9a0d6c8493ad79c2c09137871b95672 for the new variant
(If you have a file that does not match the above two signatures feel free to submit it)
AV products are picking up the original, only some are picking up the variant (that should change over the next few hours).
The subject and file names are changing as well in line with the news headlines of the day. In addition to the subjects mentioned in Part 1 we have seen:
* Chinese missile shot down USA aircraft
* Chinese missile shot down USA satellite
* Chinese missile shot down Russian satellite
* Russian missile shot down USA aircraft
* Russia missile shot down USA satellite
* Russian missile shot down Chinese aircraft
* Radical Muslim drinking enemies' blood
* Sadam Hussein alive!
* Sadam Hussein safe and sound!
Many readers have reported that their Anti Spam filters capture the files. If you are blocking executables, then at the moment things should be fine in your camp.
We'll keep you updated."

.

Bagged my first copy on tuesday
/t177349-MD5_36b807caf4b20f3dc4e180c2555ebd46_wincom32_sys.html

Out of 5 CWS infections this week,3 have carried this trojan and each one has had different MD5's.

Storm Worm' Sweeps Into U.S.
http://www.security.ithub.com/article/Storm+Worm+Sweeps+Into+US/199062_1.aspx

_________________
"THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?"

Microsoft MVP - Windows Security 2007-2008

FYI...

Peer-to-Peer Botnet
- http://www.symantec.com/enterprise/security_response/weblog/2007/01/trojanpeacomm_building_a_peert.html
January 19, 2007 ~ "...The threat arrived in an email with an empty body and a variety of subjects... The attachment is not a video clip, but a Trojan horse program*... The executable drops a system driver (wincom32.sys, also detected as Trojan.Peacomm), which injects some payload and hidden threads directly into the services.exe process... Once the computer is infected, Trojan.Peacomm attempts to establish peer-to-peer communication on UDP port 4000 with a small list of IP addresses, in order to download and execute more malicious files. If you use a personal firewall with egress filtering, you will be notified that the services.exe process is attempting to connect to a remote address on this port. Symantec’s Threat Management System shows a spike in traffic for UDP port 4000**... When it manages to connect to any of these initial IP addresses, it receives a list of additional IP addresses of infected machines and adds them to its list of available peers, building up a distributed network to aid in the download of more malware. The Trojan also keeps a "blacklist" of unsuitable peers..."

* http://www.symantec.com/security_response/writeup.jsp?docid=2007-011917-1403-99

** http://isc.sans.org/port.html?port=4000

Ongoing...

- http://isc.sans.org/diary.html?storyid=2071
Last Updated: 2007-01-21 10:42:25 UTC ...(Version: 3)
"...New hashes
* c0ea4f9c940ed25f5a6f9a5240aaf9d6 (new variant, but detected by most AV already)
* 932fbaf2efbf432d50532f7ec48b9e24 (new and not detected by many yet)
* 72f445300de3ccb0b76d5ca01c07207d
* 7fba7a6e6e3fd72bcfe15233b05535a1
* d93ffce8b87e2176bbe4edaca12a244f
* 18157394ea1b2791e9149077c153446e
* 40b246c5b7c3871fed464e02d5afc0b
* cbbbd25c250b8372c2d15b3d68bdbd87
* 83f759878d5ed7b9286e76103c8430cf
* 562d6dad245497e6c95d1bb33e4bedda
...UPDATE: Another variant has surfaced file checksums to c0ea4f9c940ed25f5a6f9a5240aaf9d6, the rest is the same.... Not all AV pick this one up yet."

- http://www.f-secure.com/weblog/archives/archive-012007.html#00001088
January 20, 2007 ~ "...Update: ...another run with new and modified variants. Mostly the same Subject fields, with the addition of:
President of Russia Putin dead
Third World War just have started!
The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
The commander of a U.S. nuclear submarine lunch the rocket by mistake.
First Nuclear Act of Terrorism!
>>> Update on Sunday: Another run. This time with a different theme included in the subjects:
Happy World Religion Day!
Most Beautiful Girl
Someone at Last
I Believe
The Dance of Love
The Miracle of Love
All For You
Vacation Love
New filenames include Flash Postcard.exe."

.

FYI...

Storm Worm starts to use Rootkit techniques
- http://www.f-secure.com/weblog/archives/archive-012007.html#00001089
January 21, 2007 ~ "The weekend has been very busy with Storm Worm. We have lately found out new variants that have started to use kernel-mode rootkit techniques to hide their files, registry keys and active network connections. F-Secure BlackLight* is able to detect the hidden files."

* http://www.f-secure.com/blacklight/try_blacklight.html

Ongoing...

- http://www.f-secure.com/weblog/archives/archive-012007.html#00001092
January 22, 2007 ~ "This evening a new wave of the Stormy worm has been spammed widely. The subjects used in the e-mails have now changed from news-related events to love-related topics... Note: For those of you who aren't already filtering EXE's in the e-mail gateway - do it now!"

(Screenshots and new list of subjects available at the URL above.)

Ongoing...

- http://www.symantec.com/enterprise/security_response/weblog/2007/01/trojanpeacomm_part_2_the_botne.html
January 22, 2007 ~ "...The bot machines are now communicating over UDP port 7871, instead of port 4000. Symantec’s Threat Management System confirms this change... the new version of the threat has fully fledged rootkit capabilities, albeit not very sophisticated. It would appear that the malware writers were in a rush to get the new version out as quickly as possible and some functionality of the rootkit has not been implemented correctly. It is now capable of hiding several files and registry keys by hooking several kernel functions and patching the tcpip.sys system driver to hide its ports from commands, such as netstat -o or netstat -b. However, due to some mistakes in the rootkit code, running netstat -an lets you see ports 7871 or 4000 open and waiting for connections. It is also important to note that a personal firewall will also notify you of the process services.exe trying to make connections on these ports. Furthermore, the rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again... The primary goal is to create a botnet that sends tons and tons of penny stock spam (but because the botnet can be controlled by its owners, we may see changes in functionality)..."

- http://isc.sans.org/port.html?port=4000

- http://isc.sans.org/port.html?port=7871

More info...

- http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=196902961
Jan 23, 2007 ~ "..."This looks like a worm because of the volume of e-mail, even though it's a Trojan," says Dave Cole, the director of Symantec's security response team. "We're on spam run No. 4 now, with millions of messages having been sent so far." The large volume of infected messages spammed so far prompted Cole's company to up the threat rating to a "3" in its 1 through 5 scoring system. The last time Symantec classified a piece of malware as a "3" was in late 2005, says Cole... As of Monday, the Trojan accounted for 8% of all infections globally... Security vendors have recommended that users update their antivirus signatures and, if they're using anti-spam software, that defense as well."

- http://www.pcworld.idg.com.au/pp.php?id=1167470053&
23/01/2007 ~ "...The last time malicious software spread this quickly was in May 2005, when the Sober.O mass-mailling worm affected a similar number of systems... The latest versions of the worm include similarly provocative news headlines and malicious attachments, but the criminals have added a twist over the past few days: the text of the e-mail messages now contains glowing reviews of penny stocks, apparently designed to fuel "pump and dump" stock scams. Some of the e-mail messages have also been changed to prey on the romantic, security vendor F-Secure warned. Recent versions of these Trojan e-mails have contained subject lines such as "A Bouguet of Love," "A Day in Bed Coupon," or "A Monkey Rose for You"..."

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=196903023
Jan. 23, 2007 03:43 PM ~ "...So far, Symantec has received 1.6 million detection reports from its sensor system. "This means Peacomm has hit 1.6 million systems in the past seven days," a company spokesman said in an e-mail. An accurate number of infected machines is not yet known. The most recent variants of the Trojan include rootkit cloaking technologies to hide it from security software, said both F-Secure and Symantec. The latter, however, pointed out that flawed rootkit code voids some of the Trojan maker's plans. "The rootkit service can be stopped by running a simple command: net stop wincom32 . All files, registry keys, and ports will appear again," said Hidalgo. A personal firewall also offers some protection from the rootkit, as it will warn you that the Windows process "services.exe" is trying to access the Internet using ports 4000 or 7871. Peacomm's turn to rootkits brought out comparisons to Rustock, a year-old family of Trojan horses that has become a model of sorts for hackers. Rustock, as Symantec warned in December 2006, relies on rootkit technology, but adds an ability to quickly change form as another evasion tactic... Symantec's researchers said that PCs hijacked by Peacomm send "tons and tons of penny stock spam" in a typical pump 'n' dump scheme... Other defensive advice includes filtering traffic on UDP ports 4000 and 7871, update anti-spam products, and configure mail gateways to strip out all executable attachments."

FYI...

- http://www.symantec.com/enterprise/security_response/weblog/2007/01/storm_trojan_outbreak_a_spamce.html
January 23, 2007 ~ "“Storm Trojan” Outbreak... While we often report on the number of infections we’re seeing for a threat and what our honeynets are catching, we haven’t often shared the numbers on the amount of malicious code we’re seeing via Symantec’s antispam solutions. With Trojan.Peacomm still very much on the prowl and repeatedly blasting spam in short bursts of five to ten minutes, we thought we’d share some of our statistics on the malware we see being spammed around the globe. All of the numbers below are from December 22, 2006 to January 22, 2007..."

(More available at the URL above.)

.

FYI...

- http://www.symantec.com/enterprise/security_response/weblog/2007/02/love_is_in_the_air.html
February 8, 2007 ~ "Today has seen another large-scale spamming of Trojan.Peacomm, aka the "Storm Trojan". With Valentine's Day approaching, this time around the authors are attempting to tug on the heartstrings of unsuspecting users with romantic subject lines such as "My Heart belongs to you" and "Together You and I". The mail body is empty and the attachments have the usual names of "Greeting Card.exe", "Postcard.exe", and "Greeting Postcard.exe". The Trojan is much the same as we've seen before, the only difference being that the authors have used a modified packer in an (unsuccessful) effort to evade detection by AntiVirus vendors..."