Nume:TR/SpamBot.E
Descoperit pe data de:19/07/2010
Tip:Troian
ITW:Da
Numar infectii raportate:Scazut spre mediu
Potential de raspandire:Mediu
Potential de distrugere:Mediu
Fisier static:Da
Marime:55.808 Bytes
MD5:64ce27a4edc375f5dcb68b8641738f34
Versiune IVDF:7.10.09.151 - Wednesday, July 21, 2010

 General Metoda de raspandire:
   • Nu are rutina proprie de raspandire


Alias:
   •  Mcafee: Spam-Mailbot.m
   •  Sophos: Mal/FakeAV-CZ
   •  Microsoft: Spammer:Win32/Tedroo
   •  Panda: Bck/Bredolab.AZ
   •  DrWeb: Trojan.Spambot.6788


Sistem de operare:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Efecte secundare:
   • Modificari in registri
   • Utilizeaza propriul motor de email

 Registrii sistemului Urmatoarele chei sunt adaugate in registri pentru a rula procesul la repornirea sistemului:

– [HKLM\Software\Microsoft\Windows\CurrentVersion\run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\
   Run]
   • "userini"="%WINDIR%\explorer.exe:userini.exe"

Diverse setari in Explorer:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer]
   Noua valoare:
   • "id"="F15ECF88A2EC"
   • "remove"="%fisier executat%"

 Email Contine un motor SMTP integrat, pentru a trimite spam prin email. Astfel se va conecta direct la serverul destinatar. Caracteristicile sunt:


De la:
Adresa este falsificata.


Catre:
– Adrese generate


Subiect:
Urmatorul:
   • %adresa destinatarului% VIAGRA ® Official Site -45%



Corpul email-ului:
– Contine cod HTML.



Email-ul arata astfel:


 Backdoor Servere contactate:

   • http://19**********3.62/82567/kelly.php

Astfel se obtine control la distanta. Aceasta se face printr-o interogare HTTP GET intr-un script PHP.


Posibilitati de control la distanta:
    • trimitere email-uri
    • legat de Spam

Description inserted by Patrick Schoenherr on Thursday, July 22, 2010
Description updated by Patrick Schoenherr on Thursday, July 22, 2010

Back . . . .