Content

Spam-Mespam

Type
Trojan
SubType
Spam
Discovery Date
02/27/2007
Length
96,845 bytes
Minimum DAT
4973 (02/28/2007)
Updated DAT
5200 (01/04/2008)
Minimum Engine
5.1.00
Description Added
02/27/2007
Description Modified
04/24/2007 11:18 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 24, 2007 --
Recent variants of this trojan may try to connect to one of the following URLs to retrieve email messages to be spammed

  • http://skilltests.org/zu/[REMOVED]
  • http://zup.secondsite1.com/[REMOVED]

--

-- Update February 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://securitywatch.eweek.com/exploits_and_attacks/new_storm_worm_spreading_via_blog_posts.html
--

Upon execution, the trojan connects to the following site to retrieve the email messages to be spammed:

  • http://66.148.74.7/[removed].php

The downloaded messages are saved to the following files.

  • %Sysdir%\pfxzmtaim.dll
  • %Sysdir%\pfxzmtforum.dll
  • %Sysdir%\pfxzmtgtal.dll
  • %Sysdir%\pfxzmticq.dll
  • %Sysdir%\pfxzmtsmt.dll
  • %Sysdir%\pfxzmtsmtspm.dll
  • %Sysdir%\pfxzmtwbmail.dll
  • %Sysdir%\pfxzmtymsg.dll
  • %Sysdir%\sfxzmtsmt.dll
  • %Sysdir%\sfxzmtsmtspm.dll

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It sends spam messages via the following webmail services:

  • webmail.tiscali.co.uk
  • earthlink.net
  • comcast.net
  • webmail.bellsouth.net
  • fastmail.fm
  • mail.google.com
  • care2.com
  • mail.com
  • mail.rambler.ru
  • hotmail.msn.com
  • mail.yahoo.com
  • lycos.com
  • webmail.aol.com
  • win.mail.ru

The trojan also sends the message to the following instant messenger services:

  • GoogleTalk
  • Yahoo! Messenger
  • AOL Instant Messenger

It attempts to download Downloader-BAI trojan from the remote site:

  • ds.nac.net

Symptoms

The trojan drops the following files.

  • %Sysdir%\rsvp32_2.dll
  • %Sysdir%\rsvp32_2.dll435

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It also drops the clean file.

  • %Sysdir%\sporder.dll

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

The following registriy key is added.

  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert

It installs rsvp32_2.dll as a Layered Service Provider by modifying the following registry key.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

The trojan creates the following mutex to ensure that only one instance is run on the victim machine.

  •  Global\iowerjfgiowejroigeu894389

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

The trojan is designed to download email messages from a remote site and spam via webmail services.

Aliases

  • Email-Worm.Win32.Zhelatin.as (Kaspersky)
  • Mal/Cimuz-A (Sophos)
  • Trojan.Mespam (Symantec)
  • Win32/Difisim.AG (CA)

Characteristics

Characteristics -

-- Update April 24, 2007 --
Recent variants of this trojan may try to connect to one of the following URLs to retrieve email messages to be spammed

  • http://skilltests.org/zu/[REMOVED]
  • http://zup.secondsite1.com/[REMOVED]

--

-- Update February 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://securitywatch.eweek.com/exploits_and_attacks/new_storm_worm_spreading_via_blog_posts.html
--

Upon execution, the trojan connects to the following site to retrieve the email messages to be spammed:

  • http://66.148.74.7/[removed].php

The downloaded messages are saved to the following files.

  • %Sysdir%\pfxzmtaim.dll
  • %Sysdir%\pfxzmtforum.dll
  • %Sysdir%\pfxzmtgtal.dll
  • %Sysdir%\pfxzmticq.dll
  • %Sysdir%\pfxzmtsmt.dll
  • %Sysdir%\pfxzmtsmtspm.dll
  • %Sysdir%\pfxzmtwbmail.dll
  • %Sysdir%\pfxzmtymsg.dll
  • %Sysdir%\sfxzmtsmt.dll
  • %Sysdir%\sfxzmtsmtspm.dll

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It sends spam messages via the following webmail services:

  • webmail.tiscali.co.uk
  • earthlink.net
  • comcast.net
  • webmail.bellsouth.net
  • fastmail.fm
  • mail.google.com
  • care2.com
  • mail.com
  • mail.rambler.ru
  • hotmail.msn.com
  • mail.yahoo.com
  • lycos.com
  • webmail.aol.com
  • win.mail.ru

The trojan also sends the message to the following instant messenger services:

  • GoogleTalk
  • Yahoo! Messenger
  • AOL Instant Messenger

It attempts to download Downloader-BAI trojan from the remote site:

  • ds.nac.net

Symptoms

Symptoms -

The trojan drops the following files.

  • %Sysdir%\rsvp32_2.dll
  • %Sysdir%\rsvp32_2.dll435

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

It also drops the clean file.

  • %Sysdir%\sporder.dll

(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)

The following registriy key is added.

  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert

It installs rsvp32_2.dll as a Layered Service Provider by modifying the following registry key.

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries

The trojan creates the following mutex to ensure that only one instance is run on the victim machine.

  •  Global\iowerjfgiowejroigeu894389

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A