Content
Spam-Mespam
- Type
- Trojan
- SubType
- Spam
- Discovery Date
- 02/27/2007
- Length
- Varies
- Minimum DAT
- 4973 (02/28/2007)
- Updated DAT
- 5652 (06/20/2009)
- Minimum Engine
- 5.3.00
- Description Added
- 02/27/2007
- Description Modified
- 06/19/2009 11:56 AM (PT)
Risk Assessment
- Corporate User
- Low-Profiled
- Home User
- Low-Profiled
Tab Navigation
Characteristics
-- Update June 18, 2009 --
Recent variants of this trojan may try to connect to one of the following URLs to retrieve email messages to be spammed
- http://trafficshop.tw/[REMOVED]
They download malicious files to the following locations:
- Current directory
- %WINDIR%\system32 (where %WINDIR% is usually C:\Windows)
- %WINDIR%\Temp
- C:\Documents and Settings\All Users\Application Data
One of the malicious files downloaded is the FakeAlert-WinwebSecurity Trojan.
-- Update April 24, 2007 --
Recent variants of this trojan may try to connect to one of the following URLs to retrieve email messages to be spammed
- http://skilltests.org/zu/[REMOVED]
- http://zup.secondsite1.com/[REMOVED]
--
-- Update February 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://securitywatch.eweek.com/exploits_and_attacks/new_storm_worm_spreading_via_blog_posts.html
--
Upon execution, the trojan connects to the following site to retrieve the email messages to be spammed:
- http://66.148.74.7/[removed].php
The downloaded messages are saved to the following files.
- %Sysdir%\pfxzmtaim.dll
- %Sysdir%\pfxzmtforum.dll
- %Sysdir%\pfxzmtgtal.dll
- %Sysdir%\pfxzmticq.dll
- %Sysdir%\pfxzmtsmt.dll
- %Sysdir%\pfxzmtsmtspm.dll
- %Sysdir%\pfxzmtwbmail.dll
- %Sysdir%\pfxzmtymsg.dll
- %Sysdir%\sfxzmtsmt.dll
- %Sysdir%\sfxzmtsmtspm.dll
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It sends spam messages via the following webmail services:
- webmail.tiscali.co.uk
- earthlink.net
- comcast.net
- webmail.bellsouth.net
- fastmail.fm
- mail.google.com
- care2.com
- mail.com
- mail.rambler.ru
- hotmail.msn.com
- mail.yahoo.com
- lycos.com
- webmail.aol.com
- win.mail.ru
The trojan also sends the message to the following instant messenger services:
- GoogleTalk
- Yahoo! Messenger
- AOL Instant Messenger
It attempts to download Downloader-BAI trojan from the remote site:
- ds.nac.net
Symptoms
The trojan drops the following files.
- %Sysdir%\rsvp32_2.dll
- %Sysdir%\rsvp32_2.dll435
or
- %Sysdir%\SOCKET2.dll
- %Sysdir%\SOCKET2W.dll
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It also drops the clean file.
- %Sysdir%\sporder.dll
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
The following registry key is added.
- HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert
It installs rsvp32_2.dll as a Layered Service Provider by modifying the following registry key.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
The trojan creates the following mutex to ensure that only one instance is run on the victim machine.
- Global\iowerjfgiowejroigeu894389
or
- Global\FGVVSDSGBB
Method of Infection
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
--Update June 19, 2009--
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/40000-Web-Sites-Compromised-in-Mass-Attack-227486/?kc=rss
----
The trojan is designed to download email messages from a remote site and spam via webmail services. Some variants download malicious files as well.
Aliases
- Email-Worm.Win32.Zhelatin.as (Kaspersky)
- Mal/Cimuz-A (Sophos)
- Trojan.Mespam (Symantec)
- Win32/Difisim.AG (CA)
Characteristics
Characteristics -
-- Update June 18, 2009 --
Recent variants of this trojan may try to connect to one of the following URLs to retrieve email messages to be spammed
- http://trafficshop.tw/[REMOVED]
They download malicious files to the following locations:
- Current directory
- %WINDIR%\system32 (where %WINDIR% is usually C:\Windows)
- %WINDIR%\Temp
- C:\Documents and Settings\All Users\Application Data
One of the malicious files downloaded is the FakeAlert-WinwebSecurity Trojan.
-- Update April 24, 2007 --
Recent variants of this trojan may try to connect to one of the following URLs to retrieve email messages to be spammed
- http://skilltests.org/zu/[REMOVED]
- http://zup.secondsite1.com/[REMOVED]
--
-- Update February 27, 2007 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://securitywatch.eweek.com/exploits_and_attacks/new_storm_worm_spreading_via_blog_posts.html
--
Upon execution, the trojan connects to the following site to retrieve the email messages to be spammed:
- http://66.148.74.7/[removed].php
The downloaded messages are saved to the following files.
- %Sysdir%\pfxzmtaim.dll
- %Sysdir%\pfxzmtforum.dll
- %Sysdir%\pfxzmtgtal.dll
- %Sysdir%\pfxzmticq.dll
- %Sysdir%\pfxzmtsmt.dll
- %Sysdir%\pfxzmtsmtspm.dll
- %Sysdir%\pfxzmtwbmail.dll
- %Sysdir%\pfxzmtymsg.dll
- %Sysdir%\sfxzmtsmt.dll
- %Sysdir%\sfxzmtsmtspm.dll
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It sends spam messages via the following webmail services:
- webmail.tiscali.co.uk
- earthlink.net
- comcast.net
- webmail.bellsouth.net
- fastmail.fm
- mail.google.com
- care2.com
- mail.com
- mail.rambler.ru
- hotmail.msn.com
- mail.yahoo.com
- lycos.com
- webmail.aol.com
- win.mail.ru
The trojan also sends the message to the following instant messenger services:
- GoogleTalk
- Yahoo! Messenger
- AOL Instant Messenger
It attempts to download Downloader-BAI trojan from the remote site:
- ds.nac.net
Symptoms
Symptoms -
The trojan drops the following files.
- %Sysdir%\rsvp32_2.dll
- %Sysdir%\rsvp32_2.dll435
or
- %Sysdir%\SOCKET2.dll
- %Sysdir%\SOCKET2W.dll
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
It also drops the clean file.
- %Sysdir%\sporder.dll
(Where %Sysdir% is the Windows System directory, for example C:\WINDOWS\SYSTEM)
The following registry key is added.
- HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert
It installs rsvp32_2.dll as a Layered Service Provider by modifying the following registry key.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
The trojan creates the following mutex to ensure that only one instance is run on the victim machine.
- Global\iowerjfgiowejroigeu894389
or
- Global\FGVVSDSGBB
Method of Infection
Method of Infection -
Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
