Virus Description - W32/Peacomm!ZIP Trojan

W32/Peacomm!ZIP Trojan

Name	W32/Peacomm!ZIP Trojan
Aliases	Trojan.Peacomm!zip, WORM_NUWAR.AOP.
Discovered on	April 12, 2007

Virus Information - W32/Peacomm!ZIP Trojan:

W32/Peacomm!ZIP is a Trojan. The Trojan will infect Windows systems and spreads through email.

The subject of the infected mail will be any of the following;

ATTN!
Virus Alert!
Worm Alert!
Spyware Detected!
Virus Activity Detected!
Warning!

The body of the infected mail will be the combination of two strings mentioned below;

First string will be any one of the following;

Report
Warning
AutoComplaint
AbuseNotice
UrgentNotice
Notice

Second string will be;

Dear Customer,

Our robot has detected an abnormal activity from your IP
address on sending e-mails. Probably it is connected with
the last epedemic of a worm which does not have official
patches at the moment.
We recommend you to install this patch to remove worm files
and stop emai sending, otherwise your account will be
blocked.
We had archived the patch because the worm can modify
upoacked exe files. You should open the archive file, enter
the password and run the patch immediately.

Password: [random characters]

Customer Support Center Robot

The above mentioned second string will be in the image format.

The name of the infected attachment will be any of the following;

removal-[random number].zip
patch-[random number].zip
hotfix-[random number].zip
bugfix-[random number].zip

The said files may be password protected archives. The password of which will be sent in the body of the mail.

Upon execution, the trojan copies wincom32.sys (detected as W32/Peacomm.CQ) file in Windows System folder.