Latest wincom32 peacomm rootkit has bugs
In a follow up to the post : New Storm-Worm Rootkit creating Botnets here is an update.
It has been reported that the authors of the Storm Worm which uses a rootkit called wincom32 have changed their code and tactics to try and avoid detection but in doing so have left bugs in the code.
To check your system for this rootkit please download an anti-rootkit scanner.
First of all there are now more subjects attached to the emails containing the worm:
Chinese missile shot down USA aircraft
Chinese missile shot down USA satellite
Fidel Castro dead.
First Nuclear Act of Terrorism!
Happy World Religion Day!
Hugo Chavez dead.
President of Russia Putin dead
Radical Muslim drinking enemies’ blood.
Russian missle shot down Chinese satellite
Russian missle shot down USA aircraft
Russian missle shot down USA satellite
Sadam Hussein alive!
Sadam Hussein safe and sound!
Safe and Sound
The commander of a U.S. nuclear submarine lunch the rocket by mistake.
The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
Third World War just have started!
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
U.S. Southwest braces for another winter blast. More then 1000 people are dead.
Venezuelan leader: “Let’s the War beginning”.
and some love related subjects:
A Bouguet of Love
A Day in Bed Coupon
A Monkey Rose for You
A Red Hot Kiss
Against All Odds
All That Matters
Baby, I’ll Be There
Back Together
Breakfast in Bed Coupon
Can’t Wait to See You!
Cyber Love
Dinner Coupon
Dream Date Coupon
Emptiness Inside Me
Fields Of Love
For You
Full Heart
I Believe
I Can’t Function
I Dream of You
I Think of You
Internet Love
It’s Your Move
Kiss Coupon
Love Birds
Love You Deeply
Made for Each Other
Miracle of Love
Moonlit Waterfall
My Invitation
Our Love
Our Love is Free
Our Two Hearts
Passionate Kiss
Pockets of Love
Puppy Love
Red Rose
Sending You My Love
Showers of Love
Someone at Last
Soul Partners
Summer Love
Take My Hand
That Special Love
The Dance of Love
The Long Haul
The Love Bugs
This Day Forward
This Feeling
Till Morning’s Light
Till Morninig’s Light
The Mood for Love
To New Spouse
Together Again
Together You and I
Touched by Love
Twice Blest
Until the Day
We’re a Perfect Fit
Wild Nights
Will you?
When I’m With You
Worthy of You
Wrapped Up
Wrapped in Your Arms
You are our of this world
You Lucky Duck!
You Rock Me!
You Were Worth the Wait
The attachment may now have one of the following names:
GreetingPostcard.exe
MoreHere.exe
FlashPostcard.exe
GreetingCard.exe
ClickHere.exe
ReadMore.exe
FlashPostcard.exe
FullNews.exe
It firstly drops a file called wincom32.sys in one of the following folders:
C:\Windows\System (Windows 95/98/Me)
C:\Winnt\System32 (Windows NT/2000)
C:\Windows\System32 (Windows XP)
It creates a service and creates the following registry entry to start it when the PC starts up:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32
The worm then tries to connect to various other bots and download more malware so that it can do it’s primary job, to send out penny stock spam. Increased spam has been seen in the last few days.
The latest version of the bot now tries to communicate with other bots on port 7871 instead of 4000 as in the previous version.
The authors have included more rootkit functionality to this version. But this rootkit contains a few bugs and has been known to crash some systems.
“It is now capable of hiding several files and registry keys by hooking several kernel functions and patching the tcpip.sys system driver to hide its ports from commands, such as netstat -o or netstat -b. However, due to some mistakes in the rootkit code, running netstat -an lets you see ports 7871 or 4000 open and waiting for connections. It is also important to note that a personal firewall will also notify you of the process services.exe trying to make connections on these ports. Furthermore, the rootkit service can be stopped by running a simple command: net stop wincom32. All files, registry keys, and ports will appear again.”
Symantec
The rootkit also checks to see if the system it is running on is a Windows 2003 machine, as it seems that the authors have not fully tested it on Windows 2003.
This latest attack change is interesting as it shows the attackers are constantly changing their tactics in the light of discoveries by anti malware companies. The attackers are also using new news headlines for the latest attacks and hoping to dupe more people into catching the worm. It seems the attackers are blatantly sticking their noses up at the anti malware industry using their new and expanding peer to peer botnet.
References:
Trojan.Peacomm Part 2 – The Botnet Evolves
Stay Safe
regards
Steo
www.antirootkit.com
rootkit
January 23rd, 2007 at 10:17 pm
[…] Anti-Rootkit Blogger steo writes: […]
January 25th, 2007 at 7:57 pm
[…] What Peacomm does to you Once inside, the trojan tries to turn your computer into a spam-sending vehicle, but it can also try to open up backdoors for other malware. Amado Hidalgo, in a post on his Symantec blog, says that his team cataloged 1,800 emails sent out by an infected computer in about five minutes. He speculates that, at that point, another infected computer would pick up the spamming, presumably to change up the sending IP address, which some anti-spam detectors look at very carefully. He warns that Symantec has noticed modifications in the trojan including new email subject lines and a full-fledged rootkit. For a look at many of the possible bogus email subject lines and attachments attributed to Peacomm (and there are a lot), you can check out the Anti Rookit Blog. […]