Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

European Storm Video E-Mail

Published: 2007-01-19
Last Updated: 2007-01-21 15:29:41 UTC
by Mark Hofman (Version: 3)
0 comment(s)
=====
UPDATE 1530 GMT 21 Jan 07:

Thanks to everybody who sent us new versions of this malware.  We are going to stop adding MD5s to the list below.  The malware will continue to mutate over the next several days and weeks. 

-ms
=====


Due to a glitch when editing the diary, the older version didn't get retained. But well, this virus is pretty simple: If you get a .exe in your inbox, something is seriously wrong with your inbound mail filter. There is no good reason to send executables "plain" via email, and there are plenty of methods to filter them even before they ever hit the AV filter.


UPDATE:


A new variant of this virus has surfaced over the last 3-4 hours.  This variant is slightly smaller than the original.
MD5 checksums for the files are:
  • cf6c72dfa5a05beb46f21a21cb6d3487  for the original version
  • b9a0d6c8493ad79c2c09137871b95672  for the new variant (some of you will get the hash 01a1115bcb0d5e32a98c76a50ac8868d on the same file).
New hashes
  • c0ea4f9c940ed25f5a6f9a5240aaf9d6  (new variant, but detected by most AV already)
  • 932fbaf2efbf432d50532f7ec48b9e24  (new and not detected by many yet)
  • 72f445300de3ccb0b76d5ca01c07207d
  • 7fba7a6e6e3fd72bcfe15233b05535a1
  • d93ffce8b87e2176bbe4edaca12a244f
  • 18157394ea1b2791e9149077c153446e
  • 40b246c5b7c3871fed464e02d5afc0b
  • cbbbd25c250b8372c2d15b3d68bdbd87
  • 83f759878d5ed7b9286e76103c8430cf
  • 562d6dad245497e6c95d1bb33e4bedda
 We have enough samples for now thanks.  Thanks for all your submissions, they are much appreciated (especially Ariel, Franki, Matt, Jeff and others).

AV products are picking up the original, only some are picking up the variant (that should change over the next few hours).

The subject and file names are changing as well in line with the news headlines of the day.  We have seen:
  • Chinese missile shot down USA aircraft
  • Chinese missile shot down USA satellite
  • Chinese missile shot down Russian satellite
  • Russian missile shot down USA aircraft
  • Russia missile shot down USA satellite
  • Russian missile shot down Chinese aircraft
  • Radical Muslim drinking enemies' blood
  • Sadam Hussein alive!
  • Sadam Hussein safe and sound!
  • U.S. Southwest braces for another winter blast. More then 1000 people are dead. (new)
  • The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
  • The commander of a U.S. nuclear submarine lunch the rocket by mistake.
Many readers have reported that their Anti Spam filters capture the files.  If you are blocking executables, then at the moment things should be fine in your camp.

Symantec link: http://www.symantec.com/enterprise/security_response
   /weblog/2007/01/trojanpeacomm_building_a_peert.html

UPDATE:
Another variant has surfaced  file checksums to c0ea4f9c940ed25f5a6f9a5240aaf9d6, the rest is the same. (Thanks Ariel).
Not all AV pick this one up yet.

Mark
ISC Handler On Duty
Shearwater
Keywords:
0 comment(s)
Diary Archives