Content

Spam-DComServ.dr

Type
Trojan
SubType
Dropper
Discovery Date
01/17/2006
Length
Minimum DAT
4676 (01/17/2006)
Updated DAT
5237 (02/25/2008)
Minimum Engine
5.1.00
Description Added
01/17/2006
Description Modified
10/23/2006 12:17 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update October 23, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/article2/0,1895,2034680,00.asp

This trojan executes and hooks into the system registry to remain persistant after reboots. The trojan also modifies the system hosts file in an attempt to prevent security updates from happening.

It is believed that the trojan downloads a copy of Kaspersky Anti-Virus to scan the local system to remove malware other than itself but we have not witnessed this as the remote sites the trojan attempts to contact are no longer available.

Symptoms

  1. Presence of the following Windows Registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Explorer XXXX" = "[filename]"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "DCOM Server XXXX" = "{2C1CD3D7-86AC-4068-93BC-A02304BBXXXX}"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler "{2C1CD3D7-86AC-4068-93BC-A02304BBXXXX}" = "DCOM Server XXXX"

    Where [filename] is the pathname and filename where the trojan was first executed.
    Where XXXX is the control port number for the particular trojan. We witnessed 2238 although other values are known to exist.

  2. Presence of appended data to the hosts file:
    • The following hostnames will be appended to your %SystemRoot%\System32\Drivers\etc\hosts file. All hostnames point to the local loop-back interface [127.0.0.1]:
      • www.trendmicro.com
      • rads.mcafee.com
      • customer.symantec.com
      • liveupdate.symantec.com
      • us.mcafee.com
      • updates.symantec.com
      • www.nai.com
      • secure.nai.com
      • dispatch.mcafee.com
      • download.mcafee.com
      • www.my-etrust.com
      • mast.mcafee.com
      • ca.com
      • www.ca.com
      • networkassociates.com
      • www.networkassociates.com
      • avp.com
      • www.kaspersky.com
      • www.avp.com
      • downloads4.kaspersky-labs.com
      • downloads3.kaspersky-labs.com
      • downloads2.kaspersky-labs.com
      • downloads1.kaspersky-labs.com
      • www.f-secure.com
      • viruslist.com
      • www.viruslist.com
      • liveupdate.symantecliveupdate.com
      • www.mcafee.com
      • sophos.com
      • www.sophos.com
      • securityresponse.symantec.com
      • www.symantec.com

  3. Unexpected network traffic (from [filename]) destined for the following IP address:
    • [hidden].66.195.67
At the time of writing the remote site was down and thus any expected downloading, SPAM-mailing and so on was not witnessed.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

Characteristics -

-- Update October 23, 2006 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/article2/0,1895,2034680,00.asp

This trojan executes and hooks into the system registry to remain persistant after reboots. The trojan also modifies the system hosts file in an attempt to prevent security updates from happening.

It is believed that the trojan downloads a copy of Kaspersky Anti-Virus to scan the local system to remove malware other than itself but we have not witnessed this as the remote sites the trojan attempts to contact are no longer available.

Symptoms

Symptoms -

  1. Presence of the following Windows Registry entries:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Explorer XXXX" = "[filename]"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "DCOM Server XXXX" = "{2C1CD3D7-86AC-4068-93BC-A02304BBXXXX}"
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler "{2C1CD3D7-86AC-4068-93BC-A02304BBXXXX}" = "DCOM Server XXXX"

    Where [filename] is the pathname and filename where the trojan was first executed.
    Where XXXX is the control port number for the particular trojan. We witnessed 2238 although other values are known to exist.

  2. Presence of appended data to the hosts file:
    • The following hostnames will be appended to your %SystemRoot%\System32\Drivers\etc\hosts file. All hostnames point to the local loop-back interface [127.0.0.1]:
      • www.trendmicro.com
      • rads.mcafee.com
      • customer.symantec.com
      • liveupdate.symantec.com
      • us.mcafee.com
      • updates.symantec.com
      • www.nai.com
      • secure.nai.com
      • dispatch.mcafee.com
      • download.mcafee.com
      • www.my-etrust.com
      • mast.mcafee.com
      • ca.com
      • www.ca.com
      • networkassociates.com
      • www.networkassociates.com
      • avp.com
      • www.kaspersky.com
      • www.avp.com
      • downloads4.kaspersky-labs.com
      • downloads3.kaspersky-labs.com
      • downloads2.kaspersky-labs.com
      • downloads1.kaspersky-labs.com
      • www.f-secure.com
      • viruslist.com
      • www.viruslist.com
      • liveupdate.symantecliveupdate.com
      • www.mcafee.com
      • sophos.com
      • www.sophos.com
      • securityresponse.symantec.com
      • www.symantec.com

  3. Unexpected network traffic (from [filename]) destined for the following IP address:
    • [hidden].66.195.67
At the time of writing the remote site was down and thus any expected downloading, SPAM-mailing and so on was not witnessed.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A