My AntiSpyware

Free antispyware software, Online Scanners, Instructions on how to remove spyware and malware.

Analyze it

Myantispyware team June 8, 2006 No Comment

ISC reader Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.

He captured some packets and found an interesting binary that he submitted to ISC for analysis.

After analyzing this binary, they discovered a malware piramide. So, this is what’s happening:

extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.

But that’s not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.

First downloader that the main spam bot downloads is http://69.31.46.144/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://85.255.114.166/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://216.80.7.64/[REMOVED]/getnumtemp.asp?nip=0.

If this wasn’t enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://207.226.177.110/[REMOVED].

Back to the spam bot. What’s interesting is that it will download and replace the machine’s hosts file. Big deal, we’ve seen that a million times. Among all the standard AV vendors’ web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.).

As always learning lessons is the most important part of handling incidents. Anti-virus doesn’t do much for you when the malware is not detected obviously. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. Use windows internal firewall or another free(pay) (look my Free Programs category). Also use Hosts Secure for block and manage HOSTS file.

Malware removal Tips

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

Analyze it

Leave a Reply Cancel reply

New Guides

σας έστειλα ένα email από τον λογαριασμό σας EMAIL SCAM

How to remove UpgradeStart app from Mac (Virus removal guide)

How to remove Lp.searchmulty.com pop-ups (Virus removal guide)

How to remove Dreviousform.info pop-ups (Virus removal guide)

How to remove SearchReceipts adware (Virus removal guide)

Follow US

Search

Useful Guides

How to remove Chrome extensions installed by enterprise policy

How to reset Google Chrome settings to default

Remove Tech Support Scam pop-up virus [Microsoft & Apple Scam]

Malwarebytes won’t install, run or update – How to fix it

How to reset Internet Explorer settings to default

Recent Posts

More fake codecs – nvidcodec, media-codec

Pornmagpass – free pass to get popups, rogue antispyware, toolbar.

Wanna download free movies ? STOP !!! ADWARE !!!

A popular way for push exploit to your PC

Firefox and Thunderbird updated

MYANTISPYWARE.COM

NEED A HELP ?

Links