• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Rogue Anti Spyware
    • Virus
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools
Home › Malware removal › Tips › Analyze it

Analyze it

Myantispyware team June 8, 2006     No Comment    

ISC reader Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.

He captured some packets and found an interesting binary that he submitted to ISC for analysis.

After analyzing this binary, they discovered a malware piramide. So, this is what’s happening:

extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.

But that’s not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.

First downloader that the main spam bot downloads is http://69.31.46.144/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://85.255.114.166/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://216.80.7.64/[REMOVED]/getnumtemp.asp?nip=0.

If this wasn’t enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://207.226.177.110/[REMOVED].

Back to the spam bot. What’s interesting is that it will download and replace the machine’s hosts file. Big deal, we’ve seen that a million times. Among all the standard AV vendors’ web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.).

As always learning lessons is the most important part of handling incidents. Anti-virus doesn’t do much for you when the malware is not detected obviously. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. Use windows internal firewall or another free(pay) (look my Free Programs category). Also use Hosts Secure for block and manage HOSTS file.

Malware removal Tips

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Leave a Reply Cancel reply




New Guides

Modern Captcha virus
Modern Captcha Virus (removal guide)
Ytmp3.sh
Ads by Ytmp3.sh – Is Ytmp3.sh Safe?
Winsafe.xyz scam
Winsafe.xyz Virus Removal Guide
Discoverthebest.co hijacker
How to get rid of Discoverthebest.co redirect from Chrome, Firefox, IE, Edge
Chrome Search extension virus
Chrome Search extension (Virus removal guide)

Follow Us

Search

Useful Guides

Files encrypted by ransomware become useless
How To Recover Encrypted Files (Ransomware file recovery)
How to reset Mozilla Firefox (Updated Apr. 2018)
Malwarebytes won’t install, run or update – How to fix it
remove chrome extension
How to remove Chrome extensions installed by enterprise policy
Tech Support Scam
Remove Tech Support Scam pop-up virus [Microsoft & Apple Scam]

Recent Posts

More fake codecs – nvidcodec, media-codec
Pornmagpass – free pass to get popups, rogue antispyware, toolbar.
Wanna download free movies ? STOP !!! ADWARE !!!
A popular way for push exploit to your PC
Firefox and Thunderbird updated

MYANTISPYWARE.COM

  • About Us
  • Contact Us
  • Privacy Policy

NEED A HELP ?

If you're seeing unwanted pop-ups or ads in your web-browser, you might have an adware installed on your computer. Use the following guide to stop pop-up ads and remove malicious software. Or ask for help here.

Links

  • Downloads
  • Instructions
  • Questions and Answers
  • Free Malware Removal Tools
Copyright © 2004 - 2022 Myantispyware.com - Free antispyware programs and Spyware Removal Instructions.