NEWS FROM THE LAB - Saturday, January 20, 2007

Another trojan run by the Storm Worm gang Posted by Mikko @ 07:29 GMT

We got a repeat of what happened last night – but with a modified version of the trojan and fresh news items in the subject field.

Russian Missle

This time the subjects in the mails are:

  Russian missle shot down Chinese satellite
  Russian missle shot down USA aircraft
  Russian missle shot down USA satellite
  Chinese missile shot down USA aircraft
  Chinese missile shot down USA satellite
  Sadam Hussein alive!
  Sadam Hussein safe and sound!
  Radical Muslim drinking enemies' blood.
  U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  U.S. Southwest braces for another winter blast. More then 1000 people are dead.
  Venezuelan leader: "Let's the War beginning".
  Fidel Castro dead.
  Hugo Chavez dead.

And the attachment names are:

  Full Video.exe
  Read More.exe
  Full Text.exe
  Full Clip.exe

When run, this malware creates a peer-to-peer botnet via port 7871/UDP or 4000/UDP.

We detect this as Trojan-Downloader.Win32.Agent.bet.

Update on Saturday: A few hours later, there was another run with new and modified variants. Mostly the same Subject fields, with the addition of:

  President of Russia Putin dead
  Third World War just have started!
  The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
  The commander of a U.S. nuclear submarine lunch the rocket by mistake.
  First Nuclear Act of Terrorism!

Update on Sunday: Another run. This time with a different theme included in the subjects:

  So in Love
  Happy World Religion Day!
  Most Beautiful Girl
  Someone at Last
  I Believe
  The Dance of Love
  The Miracle of Love
  All For You
  Vacation Love
  I am Complete
  Wrapped Up
  Moonlit Waterfall
  A Little (sex) Card
  A Special Kiss
  Hugging My Pillow
  Safe and Sound
  You're Soo kissable
  A Romantic Place
  Breakfast in Bed Coupon
  For You
  I Love You So
  Safe and Sound
  Want to Meet?
  We Are Different
  We Have Walked
  You Asked Me Why

New filenames include Flash Postcard.exe.

Detection for these is in our update 2007-01-21_04.