Method of Infection
It has been reported to CA Antivirus solutions that Win32/Pecoan arrives onto a compromised system through a number of different delivery mechanisms. It can be dropped by the worms Win32/Luder.L or Win32/Luder.K, and it can arrive in a spammed e-mail with various subject lines and attachment filenames.
Example of subject lines used in spammed e-mail include:
230 dead as storm batters Europe.
British Muslims Genocide
Chinese missile shot down USA satellite
If I Knew
Naked teens attack home director.
Radical Muslim drinking enemies'' blood.
Russian missle shot down Chinese satellite
Russian missle shot down USA aircraft
Sadam Hussein alive!
Sadam Hussein safe and sound!
The commander of a U.S. nuclear submarine lunch the rocket by mistake.
U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
U.S. Southwest braces for another winter blast. More then 1000 people are dead.
WG: A killer at 11, he''s free at 21 and kill again!
Example attachment names include:
Click Here.exe
flash postcard.exe
Full News.exe
Full Story.exe
Full Text.exe
Full Video.exe
FullClip.exe
Greeting Card.exe
greeting postcard.exe
More Here.exe
Read More.exe
video.exe
Please see below for examples of spammed e-mail.
When executed, Win32/Pecoan drops a driver with the file name "wincom32.sys" into the %System% directory and installs it. This driver is used to inject code into the "services.exe" process so that the trojan's subsequent activities appear to originate from this process. Some variants, such as Win32/Pecoan.G, include extra functionality in the driver that allow it to hide its file on disk and registry entries from the user.
Note: '%System%' is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Back to top
Payload
Downloads and Executes Arbitrary Files
The trojan attempts to establish communciations with other systems on a custom peer-to-peer network. It connects to certain IP addresses through local UDP port 4000 (Win32/Pecoan.G uses local UDP port 7871) in order to download and execute arbitrary files onto the compromised system.
These IP addresses, along with possible IPs that the trojan blacklists, are stored in a file in the %System% directory. Most variants use the file name "peers.ini", while some variants use the name "wincom32.ini".
Analysis by Amir Fouda
Back to top