Trojan.Packed.13

University of Bangor, Wales

As of today, the last major written chapter of my PhD dissertation, prior to the empirical work, is almost done and I therefore can soon fully concentrate on gathering questionnaires and working on tabulating my results.

I have just received my third email within 24 hours with an attachment with the following message.

This message has been processed by Symantec's AntiVirus Technology.

postcard.exe was infected with the malicious virus Trojan.Packed.13 and has been deleted because the file cannot be cleaned.

The latest email had the subject Your Friend and Lover. Hmm, I knew that one was phony right away! I am glad Norton caught these viruses as some Trojan have managed to end up in my registry previously. Over time I have added more security programs. My opinion is that Microsoft and their operating systems should prevent viruses and spyware to a greater degree. There should be less necessity for secondary security software. The three email messages came to an email address associated with this blog, and so the email address could have been found through this blog, although I am not stating that this is likely. I shall continue posting articles and comments on some of the interesting material that is emailed to me. I do this is for both educational and satirical purposes. Below is a link from Symantec with information about Trojan.Packed.13.

http://www.symantec.com/enterprise/security_response/weblog/2007/04/middle_east_war_or_just_more_j.html

Middle East War, or just more junk email?Over the weekend Security Response received samples of the latest variants of Trojan.Peacomm and W32.Mixor doing the rounds. The social engineering trick employed this time is in appealing to people's sense of fear as well as natural curiosity of a possible Middle East war involving the United States, Iran and Israel.

Subjects include "USA Just Have Started World War III" / "Missle Strike: The USA kills more then 20000 Iranian citizens" / "Israel Just Have Started World War III" / "USA Missile Strike: Iran War just have started". From the sample emails that we have seen to date, the actual email body is blank, and the attached files have various names such as "video.exe", "movie.exe", "click here.exe", "clickme.exe", "readme.exe" and "read more.exe".

Proactively detected by Symantec antivirus software as Trojan.Packed.13, the underlying threats are actually nothing new. They are simply minor variants of Trojan.Peacomm and W32.Mixor (named W32.Mixor.AR@mm in this instance) which have been repacked in an attempt to avoid existing detection, and appear to have been largely successful at that attempt. The only differences between W32.Mixor.AR@mm and previous versions apart from the obvious email subjects are the filenames and registry values. A writeup has been posted containing this information. Continuing along the lines of the previous variant, Trojan.Peacomm employs rootkit technology, as described in a blog entry posted back in January.

Even though Symantec customers were protected from this without the need to update definitions, there is never a good time to let your guard down, even during a festive season when goodwill to others should surely be the overriding theme. The more shocking or unbelievable the subject of emails such as these, the more the contents should be treated with the suspicion they usually deserve. Hopefully the Easter bunny delivered something a little more pleasant to the majority than this tedious offering.

Posted by John McDonald on April 9, 2007 12:10 AM

This arrived by email and is not from my ISP.