The malware dubbed Peacomm by Symantec and Pecoan by CA began spreading Thursday as an attachment, claiming to have video of last week's deadly European wind storm.
It now arrives in inboxes with a romantic subject containing different file names and is using Port 7871 to communicate with IP addresses once it infects a machine, researchers said.
The new variants also include rootkit technologies to cloak their presence.
"When you create a new variant, we have to develop new anti-virus detection for it," Dean Turner senior manager of Symantec Security Response, told SC Magazine.com today. "What they are trying to do is stay ahead of the anti-virus companies."
Still, home users are much more likely to be infected than those in the enterprise because most corporate anti-spam and firewall solutions strip attachments at the gateway, experts said.
"While the Peacomm trojan represents a significant threat to consumers it is not a significant threat to the enterprise because the payload carrying the trojan is delivered by an .exe inside email," said Andrew Storms, director of security operations at nCircle.
"This means the trojan will most certainly not make it past most corporate border defenses.
"Even if the trojan did manage to make its way inside by some other means, such as a floppy disk or USB device, then local anti-virus software will undoubtedly catch it. At this time, this trojan simply isn't a contending threat to the enterprise."
The ultimate goal of the attack is to build armies of botnets to send millions of penny stock spam, he said.
Company researchers said the spam is being distributed at a rate of 1,800 emails during five-minute intervals.
Turner said the trojan has infected at least 1.6 million PCs, and Symantec raised its risk level to a category 3 threat, out of a possible five. He added that the May 2005 Sober worm was the last time researchers saw a threat spread with such explosiveness.
"Current activity shows Pecoan has, in a little over a week, become a fully-fledged mass-disseminated piece of malware with rootkit capabilities," CA's Scott Molenkamp said on the company's Security Advisor Research Blog.
He added that the malware is working in conjunction with another trojan, named Sinteri, to spread spam.
Click here to email reporter Dan Kaplan.
Storm worm still on botnet-building path
By Dan Kaplan on Jan 25, 2007 7:17AM