VMware Cloud Community
hicksj
Virtuoso
Virtuoso
‎04-13-2007 11:18 AM

Trojan.Peacomm.B

Anyone else seen anything about this?

From:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-041314-1900-99&tabid=2

"When the Trojan is executed, it checks for the presence of the following two applications and will shut down the compromised computer if either of those programs are present:

VMWare

VirtualPC"[/i]

Interesting. For something that is meant to drop in rootkits and send spam, I wonder why it would shutdown a "valuable" host - unless the malware writer either,

a) semi-sympathizes with virtualization, therefore is shutting the machine down instead of infecting it, or,

b) has something further against virtualization, trying to tarnish virtualization by specifically targeting its availability?

Why not instead detect that the system is actually a virtual machine and then mask its rootkits blue pill style?

J

0 Kudos
6 Replies
oreeh
Immortal
Immortal
‎04-13-2007 11:32 AM

My guess is that the trojan really checks if he's inside a VM and Symantec simplified their writings.

0 Kudos
hicksj
Virtuoso
Virtuoso
‎04-13-2007 11:53 AM

I had thought that, but there's a HUGE difference...

0 Kudos
oreeh
Immortal
Immortal
‎04-13-2007 11:56 AM

Are you sure Symantec / the editor knows this difference? Smiley Happy

0 Kudos
hicksj
Virtuoso
Virtuoso
‎04-13-2007 12:00 PM

Very good point! Smiley Wink

Maybe I'll quiz them...

0 Kudos
bpalleschi
Contributor
Contributor
‎05-04-2007 10:12 AM

Had this doesy on my home PC. I used Symantec Enterprise (I think it was 😎 with system restore turned off in XP and it got rid of it. I had VMware Workstation installed and it rebooted my actual PC a bunch of times.

0 Kudos
wila
Immortal
Immortal
‎05-29-2007 02:17 AM

No, actually the reason is very straightforward. Most of today's antivirus/trojan/whatever-computer-badness research is done in VM's these days. So the trojan author just is trying to hide its trojan for researchers. This is common practice these days.

Detection methods for checking if you are running an application within a virtualized host are shared and published on the internet. There are web sites targeting virus authors that have more details on this including programs and other tips. I can jot those url's down here, but don't really want to give pointers to the script kiddies.

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos