Content
Spam-Xarvester
- Type
- Virus
- SubType
- Malware Tool
- Discovery Date
- 03/28/2007
- Length
- Varies
- Minimum DAT
- 4994 (03/28/2007)
- Updated DAT
- 5101 (08/20/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 03/28/2007
- Description Modified
- 04/24/2007 3:44 PM (PT)
Tab Navigation
Characteristics
Only an individual library component has been available for analysis so far. Reports indicate that it is dropped or installed by another piece of malware, typically using the following path and filename:
- C:\cp1041.nls
Multiple variants have been seen, though the file size so far is consistently in the 85-90KB range. Analysis of the variants seen to date indicates they are likely used to generate and/or send email spam from the host system.
Modifications to the LSP stack and patching of the system file NDIS.SYS are reported in conjunction with the presence of Spam-Xarvester. Multiple instances have been cited reporting that the NDIS.SYS file will re-create the file if it is deleted. System instability (random reboots, blue-screen errors, etc.) are also associated with the presence of this threat and the installing malware.
Symptoms
- Presence of the "cp1041.nls" file in the root folder (though name may vary, it has been consistent to date)
- Possible unauthorized outgoing SMTP communications on TCP port 25
Method of Infection
A live dropper or installer for this threat has yet to be obtained and examined by McAfee Avert Labs. To date reports indicate the installing malware may utilize a drive-by download (browser exploit) of unknown nature. Installation via standard Trojan vectors may also be possible (via email attachment, P2P applications, or other means relying on execution by the user or another piece of software).
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Though no samples have yet been seen to confirm, there are reports of this threat having a "watchdog" capability or parent component, typically via a patch to NDIS.SYS. If this is the case, Spam-Xarvester may be re-created by the patched file after cleaning. In this situation it may be necessary to first restart in Safe Mode and manually replace the patched NDIS.SYS file with a known clean copy of the appropriate version for your operating system and patch level.
Variants
Variants
N/A
All Information
Overview -
Spam-Xarvester is a software component that appears to be involved with generating/sending spammed email messages.
Characteristics
Characteristics -
Only an individual library component has been available for analysis so far. Reports indicate that it is dropped or installed by another piece of malware, typically using the following path and filename:
- C:\cp1041.nls
Multiple variants have been seen, though the file size so far is consistently in the 85-90KB range. Analysis of the variants seen to date indicates they are likely used to generate and/or send email spam from the host system.
Modifications to the LSP stack and patching of the system file NDIS.SYS are reported in conjunction with the presence of Spam-Xarvester. Multiple instances have been cited reporting that the NDIS.SYS file will re-create the file if it is deleted. System instability (random reboots, blue-screen errors, etc.) are also associated with the presence of this threat and the installing malware.
Symptoms
Symptoms -
- Presence of the "cp1041.nls" file in the root folder (though name may vary, it has been consistent to date)
- Possible unauthorized outgoing SMTP communications on TCP port 25
Method of Infection
Method of Infection -
A live dropper or installer for this threat has yet to be obtained and examined by McAfee Avert Labs. To date reports indicate the installing malware may utilize a drive-by download (browser exploit) of unknown nature. Installation via standard Trojan vectors may also be possible (via email attachment, P2P applications, or other means relying on execution by the user or another piece of software).
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Though no samples have yet been seen to confirm, there are reports of this threat having a "watchdog" capability or parent component, typically via a patch to NDIS.SYS. If this is the case, Spam-Xarvester may be re-created by the patched file after cleaning. In this situation it may be necessary to first restart in Safe Mode and manually replace the patched NDIS.SYS file with a known clean copy of the appropriate version for your operating system and patch level.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
