# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  SPECIFIC-THREATS Trojan Peacomm smtp propagation detection" (1:10065)  (thru sid 1:10077)

--
Sid: 1:10065  (thru 1:10077)

--
Summary: An executable attachment received via e-mail that, once executed by the user, compromises the users pc by installing
a root kit and a udp communication channel for distribution of SPAM.

--
Impact: High

--
Detailed Information: An executable attachment received via e-mail that, once executed by the user, compromizes the users pc by installing
a root kit and a udp communication channel for distribution of SPAM. Users are lured into opening the attachment by describing
it as a video news story related to current news events. The subject/body of the e-mail varies.

Once compromized, the pc will start sending high volumes (2000-3000 msgs/min) of mail traffic. The backdoor udp communication channel typically uses udp/4000 and udp/7871 to communicate with a botnet.

Known as Storm Trojan, Trojan.Peacom (Symantec)

--
Affected Systems: Microsoft Windows Operating Systems

--
Attack Scenarios: ?

--
Ease of Attack: Simple, the user runs an attachment sent to them by e-mail.

--
False Positives: none known

--
False Negatives: none known

--
Corrective Action: Patch Operating System and AntiVirus program. Drop .exe attachments inbound/outbound. Educate users.

--
Contributors: David Morris, CISSP icurnet@gmail.com

-- 
Additional References: http://www.symantec.com/outbreak/storm_trojan.html