New 'storm worm' spam run launched

The so-called storm worm has returned with a vengeance as more than two million trojan-based spam began bombarding inboxes on Thursday, researchers said.

The new spam run - targeting enteprises and home users - contains the latest variant of the Peacomm trojan, included as part of a password-protected ZIP file to avoid detection by anti-virus solutions, Dave Cole, director of Symantec Security Response, told SCMagazine.com.

"It's the biggest malcode spam run we've seen in a long time," he said, adding that experts believe the attack is originating out of Eastern Europe.

This time, the spammers have switched up the social engineering technique used to dupe recipients into opening the infected files. In previous storm worm spam assualts, which started in January after a fierce wind storm battered Europe, the messages came with headlines of real or fake current events.

This time, the subject lines claim "Trojan Detected!" or "Worm Activity Detected!" in an attempt to cajole users into executing the malicious files.

"There's some irony that may be lost on people," Cole said. "They're telling you that you have a virus to infect you with a virus. People will fall for it just because they're not expecting a virus alert to deliver a virus payload."

But he said that in order for the payload to occur, recipients must type in a password to "un-zip" the attachment.

"That could be why there was such a large spam run associated with this," Cole said. "The enticement isn't as good as some of the other ones. Maybe (the spammer) did a larger run because they expected the infected numbers to be lower."

Ken Dunham, director of VeriSign iDefense's Rapid Response Team, said in an email that once executed, the trojan installs a rootkit that uses a peer-to-peer network to communicate and update. He warned users that this latest attack will result in continued infections.