• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Malware removal › Tips › Analyze it

Analyze it

Myantispyware team June 8, 2006     No Comment    

ISC reader Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.

He captured some packets and found an interesting binary that he submitted to ISC for analysis.

After analyzing this binary, they discovered a malware piramide. So, this is what’s happening:

extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.

But that’s not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.

First downloader that the main spam bot downloads is http://69.31.46.144/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://85.255.114.166/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://216.80.7.64/[REMOVED]/getnumtemp.asp?nip=0.

If this wasn’t enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://207.226.177.110/[REMOVED].

Back to the spam bot. What’s interesting is that it will download and replace the machine’s hosts file. Big deal, we’ve seen that a million times. Among all the standard AV vendors’ web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.).

As always learning lessons is the most important part of handling incidents. Anti-virus doesn’t do much for you when the malware is not detected obviously. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. Use windows internal firewall or another free(pay) (look my Free Programs category). Also use Hosts Secure for block and manage HOSTS file.

Malware removal Tips

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

Gaming-trending-news.com Click Allow Scam
Gaming-trending-news.com Virus Removal Guide
Buymaxfield.com Click Allow Scam
Buymaxfield.com Virus Removal Guide
Sediny.shop Sedimy Tattoo Supply Store
Sedimy.com Review: Is Sedimy a Scam or Legitimate Tattoo Supply Store?
Ourcommonwords.com Press Allow Scam
Ourcommonwords.com Virus Removal Guide
Battlehammer.top Click Allow Scam
Battlehammer.top Virus Removal Guide

Follow Us

Search

Useful Guides

Malwarebytes won’t install, run or update – How to fix it
Best free malware removal tools
Best Free Malware Removal Tools 2023
adwcleaner
AdwCleaner – Review, How to use, Comments
Managed by your organization chrome virus
Chrome Managed by your organization malware removal guide
How to reset Internet Explorer settings to default

Recent Posts

More fake codecs – nvidcodec, media-codec
Pornmagpass – free pass to get popups, rogue antispyware, toolbar.
Wanna download free movies ? STOP !!! ADWARE !!!
A popular way for push exploit to your PC
Firefox and Thunderbird updated

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2023 MASW - Myantispyware.com.