Virus:TR/SpamBot.E
Date discovered:19/07/2010
Type:Trojan
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Medium
Damage Potential:Medium
Static file:Yes
File size:55.808 Bytes
MD5 checksum:64ce27a4edc375f5dcb68b8641738f34
IVDF version:7.10.09.151 - Wednesday, July 21, 2010

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Mcafee: Spam-Mailbot.m
   •  Sophos: Mal/FakeAV-CZ
   •  Microsoft: Spammer:Win32/Tedroo
   •  Panda: Bck/Bredolab.AZ
   •  DrWeb: Trojan.Spambot.6788


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification
   • Uses its own Email engine

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

Various Explorer settings:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   New value:
   • "id"="F15ECF88A2EC"
   • "remove"="%executed file%"

 Email It contains an integrated SMTP engine in order to send Spam emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.


To:
– Generated addresses


Subject:
The following:
   • %receiver's email address% VIAGRA ® Official Site -45%



Body:
– Contains HTML code.



The email looks like the following:


 Backdoor Contact server:
The following:
   • http://19**********3.62/82567/kelly.php

As a result remote control capability is provided. This is done via the HTTP GET request on a PHP script.


Remote control capabilities:
    • Send emails
    • Spam related

Description inserted by Patrick Schoenherr on Thursday, July 22, 2010
Description updated by Patrick Schoenherr on Thursday, July 22, 2010

Back . . . .