Johannesburg, 29 Jan 2007
BitDefender Labs warns that a Trojan downloader is "spreading extremely fast and evading detection" from most other security software, apparently by disguising itself.
"Trojan.Fatobfus.Gen is designed specifically to evade detection by anti-virus software and to make the work of virus analysts as hard as possible," says BitDefender anti-virus researcher Sorin Dudea.
"Once it reaches a computer, it will hide itself in an Internet Explorer process from where it will start downloading and installing other malware. Even if other anti-virus programs would detect some of the viruses this Trojan installs, they would not detect the Trojan itself, which would pull in new pieces of malware."
She adds that the quick rate of spreading suggests the Trojan is being actively "seeded", using spam "bot" networks, through vulnerabilities or infected Web sites.
Symantec last week raised the risk level of Trojan.Peacomm (also referred to as "Storm Worm") to a category three threat. The company says this appears to be the same Trojan that BitDefender is warning against.
The threat level was pushed up following a change in tactics by the malware author, as well as a sustained increase in attacks since last weekend as security companies adjusted to his original approach.
Trojan.Peacomm is one of a number of spamming Trojan horse programs Symantec has recently encountered that appear to originate from Russia and are aimed at making money for the author by pumping up penny stocks on the US markets.
The victim is enticed through social engineering techniques to open an attachment, which typically appears to be a video clip on a recent, newsworthy event.
Once users click on the attachment, the computer will become infected with the Trojan, which will attempt to connect to a remote address and ultimately begin using the infected host to send high volume bursts of spam. An average of 3 500 spam messages sent per minute has been observed in Symantec labs.
Share