[Snort-sigs] doc for sids 1:10065->1:10077 (Storm Trojan, Trojan.Peacom)

David Morris icurnet at ...2420...
Thu Jan 25 10:42:59 EST 2007


Basic documentation for SIDs 1:10065 thru 1:10077 for the 'Storm Trojan' (
Trojan.Peacomm) that is of news lately.

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  SPECIFIC-THREATS Trojan Peacomm smtp propagation detection"
(1:10065)  (thru sid 1:10077)
--
Sid: 1:10065  (thru 1:10077)
--
Summary: An executable attachment received via e-mail that, once executed by
the user, compromises the users pc by installing
a root kit and a udp communication channel for distribution of SPAM.
--
Impact: High
--
Detailed Information: An executable attachment received via e-mail that,
once executed by the user, compromizes the users pc by installing
a root kit and a udp communication channel for distribution of SPAM. Users
are lured into opening the attachment by describing
it as a video news story related to current news events. The subject/body of
the e-mail varies.

Once compromized, the pc will start sending high volumes (2000-3000
msgs/min) of mail traffic. The backdoor udp communication channel typically
uses udp/4000 and udp/7871 to communicate with a botnet.

Known as Storm Trojan, Trojan.Peacom (Symantec)
--
Affected Systems: Microsoft Windows Operating Systems
--
Attack Scenarios:
--
Ease of Attack: Simple, the user runs an attachment sent to them by e-mail.
--
False Positives: none known
--
False Negatives: none known
--
Corrective Action: Patch Operating System and AntiVirus program. Drop .exe
attachments inbound/outbound. Educate users.
--
Contributors: David Morris, CISSP icurnet at ...2420...
-- 
Additional References: http://www.symantec.com/outbreak/storm_trojan.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070125/45b127d4/attachment.html>


More information about the Snort-sigs mailing list