Submission Summary:

• Submission details:
• Submission received: 2 April 2008, 09:05:05
• Processing time: 3 min 42 sec
• Submitted sample:
• File MD5: 0xCD3F48A3DB406BE73FBBFB66C675CB33
• File SHA-1: 0x1B0AE38CFB015822BEAC8B15428C37A0BDAC604A
• Filesize: 139,777 bytes
• Alias:
• Trojan.Peacomm [Symantec]
• W32/Nuwar@MM [McAfee]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of the Storm worm (aka CME-711/Peacomm/Nuwar/Zhelatin/Tibs). This threat is normally received as an email attachment; it may consist of a rootkit, a peer-to-peer client, and a mass-mailing worm component. To bypass firewalls, its code may be injected and run from the legitimate services.exe process.
Capability to send out email message(s) with the built-in SMTP client engine.
Searching for email addresses by enumerating files with the certain extensions. This functionality is used by mass-mailers and spam-bots.
Backdoor functionality: connected remote users are able to perform multiple actions on the compromised system.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A network-aware worm that attempts to replicate across the existing network(s)
	A malicious trojan horse or bot that may represent security risk for the compromised system and/or its network environment

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\aromis.config	43,847 bytes	MD5: 0x1B7959D4C0A4B986F7230DCAA6200164 SHA-1: 0xD266D9BEC8015ABFD82FDBC8CBD0C85DF0CCF64C	(not available)
2	%Windir%\aromis.exe [file and pathname of the sample #1]	139,777 bytes	MD5: 0xCD3F48A3DB406BE73FBBFB66C675CB33 SHA-1: 0x1B0AE38CFB015822BEAC8B15428C37A0BDAC604A	Trojan.Peacomm [Symantec] W32/Nuwar@MM [McAfee]

• Note:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
aromis.exe	%Windir%\aromis.exe	147,456 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	147,456 bytes

• The following module was loaded into the address space of other process(es):

Module Name	Module Filename	Address Space Details
testdll_f.dll	%Windir%\testdll_f.dll	Process name: aromis.exe Process filename: %Windir%\aromis.exe Address space: 0x320000 - 0x343000

Registry Modifications

• The newly created Registry Value is:
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• aromis = "%Windir%\aromis.exe"

so that aromis.exe runs every time Windows starts

Other details

• The following ports were open in the system:

Heuristics Analysis

• Heuristically identified details of the peer-to-peer botnet that could be used to download the latest instructions:

• Heuristically identified capability to harvest email addresses (e.g. for spamming or mass-mailing purposes) from files with the following extensions:

• Heuristically identified that addresses containing the following strings are not harvested: