McAfee > Theat Center > Virus Detail Page

Overview

This is a Trojan detection for Spam-Loot. This trojan is seen to be downloaded via Backdoor-CMQ and Backdoor-CXT. In order to sucessfully spread spam, this trojan requires a specially formatted list of harvested email addresses. For this purpose it contacts the following websites.

• out.catchon[hidden].com
• seek#.loot[hidden].com
• 195.49.xx.39

When downloaded via the backdoor, this trojan is added to %TEMP% directory. It does not make any file or registry changes.  

Update 31/1/2007

Later versions of this trojan modify the firewall policy to grant themselves access to the ouside world. 

Characteristics

• Packed with UPX the length of this trojan is approximately 46 KB.
• It's name always has string "exmodulb". Although this may change for future variants.

The trojan attempts to terminate the following security services.

• KAVPersonal50
• kavsvc
• navapsvc
• Outpost
• SAVScan
• Symantec Core LC
• WindowsFirewall
• winroute.exe
• wrctrl.exe
• wscsvc
• wuauserv
• ZoneAlarm

The trojan is able to relay spam messages to mail servers at the following domains.

• aol.com
• gmail.com
• hotmail.com
• netscape.com
• yahoo.com

The trojan attempts to update itself if a new version is available at rizalof.com

Symptoms

1. Presence of aforementioned characterstics.
2. Unexpected increase in outgoing SMTP traffic (TCP Port 25).
3. Unexpected HTTP traffic to the following websites.
• out.catchon[hidden].com
• seek#.loot[hidden].com
• [hidden].rizalof.com

Method of Infection

Latest versions of this trojan are observed to be downloaded via Backdoor-CMQ and Backdoor-CXT.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a Trojan detection for Spam-Loot. This trojan is seen to be downloaded via Backdoor-CMQ and Backdoor-CXT. In order to sucessfully spread spam, this trojan requires a specially formatted list of harvested email addresses. For this purpose it contacts the following websites.

• out.catchon[hidden].com
• seek#.loot[hidden].com
• 195.49.xx.39

When downloaded via the backdoor, this trojan is added to %TEMP% directory. It does not make any file or registry changes.  

Update 31/1/2007

Later versions of this trojan modify the firewall policy to grant themselves access to the ouside world. 

Characteristics

Characteristics -

• Packed with UPX the length of this trojan is approximately 46 KB.
• It's name always has string "exmodulb". Although this may change for future variants.

The trojan attempts to terminate the following security services.

• KAVPersonal50
• kavsvc
• navapsvc
• Outpost
• SAVScan
• Symantec Core LC
• WindowsFirewall
• winroute.exe
• wrctrl.exe
• wscsvc
• wuauserv
• ZoneAlarm

The trojan is able to relay spam messages to mail servers at the following domains.

• aol.com
• gmail.com
• hotmail.com
• netscape.com
• yahoo.com

The trojan attempts to update itself if a new version is available at rizalof.com

Symptoms

Symptoms -

1. Presence of aforementioned characterstics.
2. Unexpected increase in outgoing SMTP traffic (TCP Port 25).
3. Unexpected HTTP traffic to the following websites.
• out.catchon[hidden].com
• seek#.loot[hidden].com
• [hidden].rizalof.com

Method of Infection

Method of Infection -

Latest versions of this trojan are observed to be downloaded via Backdoor-CMQ and Backdoor-CXT.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A