Content

Spam-Mailbot

Type
Trojan
SubType
-
Discovery Date
12/07/2005
Length
Varies
Minimum DAT
4646 (12/08/2005)
Updated DAT
5341 (07/17/2008)
Minimum Engine
5.1.00
Description Added
12/07/2005
Description Modified
12/08/2005 3:38 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This trojan executes in the memory space of winlogon.exe to bypass detection and certain firewall rules. It downloads a list of e-mail addresses and spam content from designated websites. It then sends out the mails using its own SMTP engine, to the addresses in that list. The 'from' field, subject and body of mail can vary depending upon the spam content.

An example of such a mail can be:

To: rbtmbeckne@gmx.de
Subject: News for rbtmbeckne@gmx.de
From: "Smith"

   XXXX XXXX Corporation,
   Symbol: XXXX.XX
   Price: .11
   already up 5 cents from Friday Dec 2nd
   Active (strong)

   Volume Has Been Pretty Good Lately With Two Sessions Where Over 10 Million
   Shares Traded. PR Program This Weekend Apprising Potential Investors of This
   One. A new PR campiagn will start Thursday.
   Get in before this starts for the best gains

   News
   Great news just released. This should really start to move!

   The News
   Payday Loan Leader Cash Now Re-Launches Infomercials, Fueling Expansion
   of Licensees and Further Organic Growth Market Wire (Wed 10:00am)

   Payday Loan Leader Cash Now Strengthens Infrastructure to Handle Increase
   in Business -- 'Scaling for the Future' Market Wire (Wed 10:00am)

E-mail addresses can be harvested from files in the victim's hard drive(s)containing the following file extensions:

  • .wab (Windows Address Book)
  • .tbb (TheBat! E-mail Data)
  • .tbi (TheBat! E-mail Data)
  • .doc (Word Document)
  • .xls (Excel Document)
  • .txt (text file)
  • .csv (Comma Separated text file)
  • .htm (Web Document)
  • .html (Web Document)
  • .xml (XML Document)

This trojan also performs speed test against ftp.mozilla.org and report harvested e-mail, operating system, speed and e-mail statistics to designated websites.

Symptoms

  1. Presence of the following Windows Registry entry:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Winlogon\Notify\ "msctl32.dll" = "C:\Windows\System32\msctl32.dll"
  2. Presence of the following file:
    • %SystemRoot%\System32\msctl32.dll
  3. Unexpected HTTP traffic (from winlogon.exe) destined for one or more of the following websites:
    • [hidden].manwithnoname.biz
    • [hidden].[hidden]problemkiller.com
    • login.shivaspace[hidden].cn
    • [hidden].mailcleaners[hidden].com
    • root.tld-s[hidden].cc
    • login.posty[hidden].com
    • secure.trafika[hidden].net
    • login.sima[hidden].biz
    • logout.vitara[hidden].org
    • [hidden].adwebster.info
  4. Unexpected increase in outgoing SMTP traffic (TCP Port 25).
  5. Process winlogon.exe requesting for outbound permissions to ftp.mozilla.org / TCP Port 80 on your personal desktop firewall.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

This trojan executes in the memory space of winlogon.exe to bypass detection and certain firewall rules. It downloads a list of e-mail addresses and spam content from designated websites. It then sends out the mails using its own SMTP engine, to the addresses in that list. The 'from' field, subject and body of mail can vary depending upon the spam content.

An example of such a mail can be:

To: rbtmbeckne@gmx.de
Subject: News for rbtmbeckne@gmx.de
From: "Smith"

   XXXX XXXX Corporation,
   Symbol: XXXX.XX
   Price: .11
   already up 5 cents from Friday Dec 2nd
   Active (strong)

   Volume Has Been Pretty Good Lately With Two Sessions Where Over 10 Million
   Shares Traded. PR Program This Weekend Apprising Potential Investors of This
   One. A new PR campiagn will start Thursday.
   Get in before this starts for the best gains

   News
   Great news just released. This should really start to move!

   The News
   Payday Loan Leader Cash Now Re-Launches Infomercials, Fueling Expansion
   of Licensees and Further Organic Growth Market Wire (Wed 10:00am)

   Payday Loan Leader Cash Now Strengthens Infrastructure to Handle Increase
   in Business -- 'Scaling for the Future' Market Wire (Wed 10:00am)

E-mail addresses can be harvested from files in the victim's hard drive(s)containing the following file extensions:

  • .wab (Windows Address Book)
  • .tbb (TheBat! E-mail Data)
  • .tbi (TheBat! E-mail Data)
  • .doc (Word Document)
  • .xls (Excel Document)
  • .txt (text file)
  • .csv (Comma Separated text file)
  • .htm (Web Document)
  • .html (Web Document)
  • .xml (XML Document)

This trojan also performs speed test against ftp.mozilla.org and report harvested e-mail, operating system, speed and e-mail statistics to designated websites.

Symptoms

Symptoms -

  1. Presence of the following Windows Registry entry:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Winlogon\Notify\ "msctl32.dll" = "C:\Windows\System32\msctl32.dll"
  2. Presence of the following file:
    • %SystemRoot%\System32\msctl32.dll
  3. Unexpected HTTP traffic (from winlogon.exe) destined for one or more of the following websites:
    • [hidden].manwithnoname.biz
    • [hidden].[hidden]problemkiller.com
    • login.shivaspace[hidden].cn
    • [hidden].mailcleaners[hidden].com
    • root.tld-s[hidden].cc
    • login.posty[hidden].com
    • secure.trafika[hidden].net
    • login.sima[hidden].biz
    • logout.vitara[hidden].org
    • [hidden].adwebster.info
  4. Unexpected increase in outgoing SMTP traffic (TCP Port 25).
  5. Process winlogon.exe requesting for outbound permissions to ftp.mozilla.org / TCP Port 80 on your personal desktop firewall.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A