[Snort-sigs] documentation for sids 1:10065 -> 1:10077 (Storm Trojan, Trojan.Peacom)

David Morris icurnet at ...2420...
Thu Jan 25 10:13:43 EST 2007


I attached basic documentation for SIDs 1:10065 thru 1:10077 for the 'Storm
Trojan' (Trojan.Peacomm) that is of news lately.

David Morris, CISSP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070125/e82ffa6a/attachment.html>
-------------- next part --------------

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  SPECIFIC-THREATS Trojan Peacomm smtp propagation detection" (1:10065)  (thru sid 1:10077)

--
Sid: 1:10065  (thru 1:10077)

--
Summary: An executable attachment received via e-mail that, once executed by the user, compromises the users pc by installing
a root kit and a udp communication channel for distribution of SPAM.

--
Impact: High

--
Detailed Information: An executable attachment received via e-mail that, once executed by the user, compromizes the users pc by installing
a root kit and a udp communication channel for distribution of SPAM. Users are lured into opening the attachment by describing
it as a video news story related to current news events. The subject/body of the e-mail varies.

Once compromized, the pc will start sending high volumes (2000-3000 msgs/min) of mail traffic. The backdoor udp communication channel typically uses udp/4000 and udp/7871 to communicate with a botnet.

Known as Storm Trojan, Trojan.Peacom (Symantec)

--
Affected Systems: Microsoft Windows Operating Systems

--
Attack Scenarios: ?

--
Ease of Attack: Simple, the user runs an attachment sent to them by e-mail.

--
False Positives: none known

--
False Negatives: none known

--
Corrective Action: Patch Operating System and AntiVirus program. Drop .exe attachments inbound/outbound. Educate users.

--
Contributors: David Morris, CISSP icurnet at gmail.com

-- 
Additional References: http://www.symantec.com/outbreak/storm_trojan.html


More information about the Snort-sigs mailing list