Jan 24, 2007

[Malware Warning] CME-711 on the Loose

The Storm worm and its Trojan cohorts had a wonderful run during the weekends, and the fun continues.

The recent variant, Small.DAM (F-Secure, Radar Alert 2) or TROJ_SMALL.EDW(Trend Micro, Medium overall risk rating) or CME-711 or Downloader-BAI!M711 (McAfee) or Trojan.Peacomm (Symantec, Category 3), is usually spammed or dropped by another malware. The subject of the spam emails that carry this Trojan are usually related to recent or current events.

When executed, this Trojan drops several files, one of which is a rootkit , which enables this Trojan to hide its files and processes.

It also connects to several IP addresses using port 4000 (F-Secure data; Trend Micro lists several UDP ports).

Elimination of this Trojan is difficult because of the rootkit. Delete the following files if you have found them on your system:

* peers.ini
* wincom32.sys
* wincom32.ini

If you believe your system is infected but cannot find the said files, use rootkit detectors; here are some of them:

* Trend Micro RootkitBuster (free)
* Microsoft Rootkit Revealer

Note that these are technical in nature and thus not for average users. I suggest you use the documentation (if any) that is provided by the software maker.

For a detailed cleaning solution, read the one from Trend Micro.

Your antivirus can remove this malware automatically, as long as its detection is updated.

No comments:

Post a Comment