hicksj
Virtuoso
Virtuoso

Trojan.Peacomm.B

Anyone else seen anything about this?

From:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-041314-1900-99&tabid=2

"When the Trojan is executed, it checks for the presence of the following two applications and will shut down the compromised computer if either of those programs are present:

VMWare

VirtualPC"[/i]

Interesting. For something that is meant to drop in rootkits and send spam, I wonder why it would shutdown a "valuable" host - unless the malware writer either,

a) semi-sympathizes with virtualization, therefore is shutting the machine down instead of infecting it, or,

b) has something further against virtualization, trying to tarnish virtualization by specifically targeting its availability?

Why not instead detect that the system is actually a virtual machine and then mask its rootkits blue pill style?

J

0 Kudos
6 Replies
oreeh
Immortal
Immortal

My guess is that the trojan really checks if he's inside a VM and Symantec simplified their writings.

0 Kudos
hicksj
Virtuoso
Virtuoso

I had thought that, but there's a HUGE difference...

0 Kudos
oreeh
Immortal
Immortal

Are you sure Symantec / the editor knows this difference? Smiley Happy

0 Kudos
hicksj
Virtuoso
Virtuoso

Very good point! Smiley Wink

Maybe I'll quiz them...

0 Kudos
bpalleschi
Contributor
Contributor

Had this doesy on my home PC. I used Symantec Enterprise (I think it was 😎 with system restore turned off in XP and it got rid of it. I had VMware Workstation installed and it rebooted my actual PC a bunch of times.

0 Kudos
wila
Leadership
Leadership

No, actually the reason is very straightforward. Most of today's antivirus/trojan/whatever-computer-badness research is done in VM's these days. So the trojan author just is trying to hide its trojan for researchers. This is common practice these days.

Detection methods for checking if you are running an application within a virtualized host are shared and published on the internet. There are web sites targeting virus authors that have more details on this including programs and other tips. I can jot those url's down here, but don't really want to give pointers to the script kiddies.

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
0 Kudos