We got a repeat of what happened last night – but with a modified version of the trojan and fresh news items in the subject field.
This time the subjects in the mails are: Russian missle shot down Chinese satellite Russian missle shot down USA aircraft Russian missle shot down USA satellite Chinese missile shot down USA aircraft Chinese missile shot down USA satellite Sadam Hussein alive! Sadam Hussein safe and sound! Radical Muslim drinking enemies' blood. U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel U.S. Southwest braces for another winter blast. More then 1000 people are dead. Venezuelan leader: "Let's the War beginning". Fidel Castro dead. Hugo Chavez dead.
And the attachment names are: Video.exe Full Video.exe Read More.exe Full Text.exe Full Clip.exe
When run, this malware creates a peer-to-peer botnet via port 7871/UDP or 4000/UDP.
We detect this as Trojan-Downloader.Win32.Agent.bet.
Update on Saturday: A few hours later, there was another run with new and modified variants. Mostly the same Subject fields, with the addition of: President of Russia Putin dead Third World War just have started! The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead! The commander of a U.S. nuclear submarine lunch the rocket by mistake. First Nuclear Act of Terrorism!
Update on Sunday: Another run. This time with a different theme included in the subjects: So in Love Happy World Religion Day! Most Beautiful Girl Someone at Last I Believe The Dance of Love The Miracle of Love All For You Vacation Love I am Complete Wrapped Up Moonlit Waterfall A Little (sex) Card A Special Kiss Hugging My Pillow Safe and Sound You're Soo kissable A Romantic Place Breakfast in Bed Coupon For You I Love You So Safe and Sound Want to Meet? We Are Different We Have Walked You Asked Me Why
New filenames include Flash Postcard.exe.
Detection for these is in our update 2007-01-21_04.