Content

Spam-Mailbot.c

Type
Trojan
SubType
Rootkit
Discovery Date
07/03/2006
Length
Minimum DAT
4798 (07/03/2006)
Updated DAT
5259 (03/25/2008)
Minimum Engine
5.1.00
Description Added
07/19/2006
Description Modified
07/19/2006 8:00 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

System Changes

Files Added

  • %WINDIR%\system32:lzx32.sys (Detected as Spam-Mailbot.c!Rootkit)

Registry

The following registry keys are created:

  • hkey_local_machine\system\currentcontrolset\services\pe386
    \security
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \imagepath="\??\%WINDIR%\System32:lzx32.sys"
  • hkey_local_machine\system\currentcontrolset\services\pe386\start
    ="1"
  • hkey_local_machine\system\currentcontrolset\services\pe386\group
    ="Base"
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \extparam=""
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \security\security="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \errorcontrol="0"
  • hkey_local_machine\system\currentcontrolset\services\pe386\type
    ="1"
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \displayname="Win23 lzx files loader"

Other characterstics

  1. Attempts to hide from the processes containing the following strings.
    • Rootkitrevealer
    • BlackLight
    • Rkdetector
    • gmer.exe
    • endoscope.EXE
    • DarkSpy
    • Anti-Rootkit
  2. Contains the following string which suggests the rootkit is still in development phase and we may see more variants.
    • "Z:\New Projects\spambot\last_beta\driver\objfre\i386\driver.pdb"
  3. May create a temporary log file at
    • %Windir%\Temp\<RANDOM>.tmp.log

 

Symptoms

It may open random TCP ports within the context of legitimate "Services.exe" process.

Attempts to contact following URLs

  • www.google.com
  • ftp.icq.com
  • maila.microsoft.com
  • 208.66.194.14/index.php?page=main

     

    • Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

    Removal

    All Users:

    Manual Removal Instructions

    1. Reboot your system using the Windows Recovery Console
    2. Select R to start the Recovery Console.
    3. At the recovery console command prompt type DISABLE pe386
    4. Type Exit
    5. Rescan the system with latest DATs upon reboot.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    Spam-Mailbot.c implements advanced rootkit techniques to hide its presence. It hides into Alternate Data Streams and have functionality to send spam e-mails. This trojan also displays backdoor capabilities by running its code within the context of services.exe.  

    Aliases

    • Symantec - Backdoor.Rustock.B

    Characteristics

    Characteristics -

    System Changes

    Files Added

    • %WINDIR%\system32:lzx32.sys (Detected as Spam-Mailbot.c!Rootkit)

    Registry

    The following registry keys are created:

    • hkey_local_machine\system\currentcontrolset\services\pe386
      \security
    • hkey_local_machine\system\currentcontrolset\services\pe386
      \imagepath="\??\%WINDIR%\System32:lzx32.sys"
    • hkey_local_machine\system\currentcontrolset\services\pe386\start
      ="1"
    • hkey_local_machine\system\currentcontrolset\services\pe386\group
      ="Base"
    • hkey_local_machine\system\currentcontrolset\services\pe386
      \extparam=""
    • hkey_local_machine\system\currentcontrolset\services\pe386
      \security\security="(binary registry data)
    • hkey_local_machine\system\currentcontrolset\services\pe386
      \errorcontrol="0"
    • hkey_local_machine\system\currentcontrolset\services\pe386\type
      ="1"
    • hkey_local_machine\system\currentcontrolset\services\pe386
      \displayname="Win23 lzx files loader"

    Other characterstics

    1. Attempts to hide from the processes containing the following strings.
      • Rootkitrevealer
      • BlackLight
      • Rkdetector
      • gmer.exe
      • endoscope.EXE
      • DarkSpy
      • Anti-Rootkit
    2. Contains the following string which suggests the rootkit is still in development phase and we may see more variants.
      • "Z:\New Projects\spambot\last_beta\driver\objfre\i386\driver.pdb"
    3. May create a temporary log file at
      • %Windir%\Temp\<RANDOM>.tmp.log

     

    Symptoms

    Symptoms -

    It may open random TCP ports within the context of legitimate "Services.exe" process.

    Attempts to contact following URLs

  • www.google.com
  • ftp.icq.com
  • maila.microsoft.com
  • 208.66.194.14/index.php?page=main

     

    • Method of Infection

    Method of Infection -

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

    Removal -

    Removal -

    All Users:

    Manual Removal Instructions

    1. Reboot your system using the Windows Recovery Console
    2. Select R to start the Recovery Console.
    3. At the recovery console command prompt type DISABLE pe386
    4. Type Exit
    5. Rescan the system with latest DATs upon reboot.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A