Barely a day since a storm carrying 200 kph winds lashed over Europe, a spammed Trojan already claims to have this story in full details. This Trojan hitches a ride on email messages with subjects carrying the latest news. An example of the said spammed mail has the subject “230 dead as storm batters Europe”. Other subjects can be any of the following:
- A killer at 11, he’s free at 21 and kill again!
- British Muslims Genocide
- U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
The spam mail lures its recipients into opening its attachment by using file names such as full Clip.exe, full Story.exe, full Video.exe, and read More.exe.
This Trojan, detected by Trend Micro as TROJ_SMALL.EDW, is currently in the wild and raising infection counts in Japan. It downloads other possibly malicious files from certain Web sites. Trend Micro advises users to refrain from opening unsolicited email messages.
Update (Roberto Tayag, Sun, 21 Jan 2007 12:43:35 PM)
We have seen burst of emails from this trojan as well as updates to the malware itself and its emails. Our own honeypot has already received 29,000++ samples of this trojan. We have received reports that this particular sample is creating a P2P botnet. We are now confirming this one as of writing. We will update you as soon as possible.
Update (Sheryll Tiauzon, Mon, 22 Jan 2007 09:29:05 AM)
Well this malware has certainly stirred up quite a storm these past few days. It is worth mentioning that this file is actually the file dropped by WORM_NUWAR.CQ. It then in turn drops a file wincom32.sys and registers itself as a service to enable automatic execution at system startup. The file wincom32.sys actually possesses rootkit capabilities which permits certain files and processes to remain hidden though not entirely impossible to detect.
Aside from the reports that it also tries to establish a peer-to-peer connection, below is an updated list of email subjects and email attachments used by the malware.
Subject: (any of the ff.)
- 230 dead as storm batters Europe.
- A killer at 11, he’s free at 21 and kill again!
- British Muslims Genocide
- U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
Attachment: (any of the ff.)
- Full Clip.exe
- Full Story.exe
- Full Video.exe
- Read More.exe
- Video.exe
Here’s a sample of the email:
To help protect against this threat it would be advisable to block email attachments with executable files. Also block access to the following urls:
- http://69.50.166.234/cp/*
- http://81.177.3.169/dir/*
- http://81.177.26.27/cp/*
- http://205.209.179.112/cp/*
- http://209.123.8.198/cp/*
- http://217.107.217.187/*
- http://217.107.217.187/cp/*
- http://217.107.217.187/sp/*