askpabs - Trojan Mespam

Latest Posts
Jhumpa Lahiri Fried Brinjals in Egg Batter Beginners Astronomy Buying First DSLR - An Experience Prawn Pasanda Pakora

Popular Posts

Main Menu

Home

Travel and Tourism

Media & Entertainment

Electronics & Appliances

Festival Special 2011

General Blogs

Sudoku

Free Games

Search

Latest Forum Posts

	Topics
	How to Fall Asleep Instantly by sandy
	Top 5 Benefits of exercise by ElizabethScott
	Once you pay for the head Kandy exte... by laowantong
	Amy's hair style by laowantong
	What not to put in the fridge by sandy
	Tripod (mainly head opinions) by Das
	Amateur Dslr Users Meetups/ Photo sh... by sandy
	Pets name.... by Weeram
	Beginners Astronomy by sandy
	Five surprising things which can har... by sandy

Trojan Mespam

Written by crashoveride

Sunday, 15 June 2008

Trojan Mespam

It has been observed that a Trojan named Mespam is circulating widely. It gets dropped by Storm Worm /Trojan Peacomm Variants
or propagates through malicious links which are embedded within Internet Messenger, e-mails, forum posts.The Trojan communicates via HTTP to certain remote websites to download the message body. This message body appears to be legitimate which tricks users to click upon the link provided within the abovesaid mediums to download malware onto the system.

After execution, the Trojan registered itself as Layered Service Provider which allows it to run each time the network device gets initialized.

A Layered Service Provider is a DLL that uses Winsock APIs to insert itself into the TCP/IP stack. Once in the stack, a Layered Service Provider can intercept and modify all inbound and outbound Internet traffic. It could be used by a computer security program, which analyzes the traffic in search for viruses or other threats before transferring it to the final application of the traffic.

The below mentioned contents can be within the body of e-mail, Internet Messenger, Web Forums

LOL ;-) http://66 DOT 148 DOT 74 DOT 7/ag.[REMOVED]

have you seen this? http://mailfreepostcards DOT com/funvid[REMOVED]

Dont forget to see http://mailfreepostcards DOT com/funvid[REMOVED] !

Aliases: Troj/SpamToo-U [Sophos], Spam-Mespam [McAfee], WORM_ZHELATIN.CH [Trend], Troj/SpamToo-X [Sophos]

Upon execution, the Trojan :

Drops the following files
- %System%\rsvp32_2.dll - the dropped LSP DLL
- %System%\sporder.dll - clean DLL
Registers %System%\rsvp32_2.dll as a layered service provider (LSP) to run each time the network device is initialized
Creates the following registry entry to store installation related information:
- HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert
Creates the following mutex to ensure that only one instance is run on the victim machine.
- Global\iowerjfgiowejroigeu894389
Contacts the following URL to retrieve the message to be spammed out through instant message applications:
- http://66 DOT 148 DOT 74 DOT 7/zc.[REMOVED]
Saves message in one or more of the following files:
- %System%\aosmx.dl
- %System%\aimsmx.dll
- %System%\ymsgsmx.dll
- %System%\gtalsmx.dll
- %System%\pfxzmtaim.dll
- %System%\pfxzmtforum.dll
- %System%\pfxzmtgtal.dl
- %System%\pfxzmticq.dll
- %System%\pfxzmtsmt.dll
- %System%\pfxzmtsmtspm.dll
- %System%\pfxzmtwbmail.dll
- %System%\pfxzmtymsg.dll
Uses any of the webmail services to sent e-mail messages:
- AOL
- Bellsouth
- Care2
- Comcast
- Earthlink
- FastMail
- Gmail
- Hotmail
- Lycos
- mail.com
- mail.ru
- Rambler
- Tiscali
- Yahoo
In view of rapid propagation of the Mespam Trojan, users are advised to implement the following countermeasures:
Search for the malicious files and processes created/initiated by the Trojan and delete the same.
Search for the registry entries mentioned above made by the Trojan and delete the same.
Do not visit the untrusted links embedded within Internet Messenger, e-mails, forum posts.
Block access to the malicious domain mentioned above at gateway.
Keep up-to-date patches and fixes on the operating system and application software.
Keep up-to-date Antivirus and Antispyware signatures.

References

http://www.symantec.com/security_response/writeup.jsp?
docid=2007-020915-2914-99&tabid=2
http://www.sophos.com/security/analyses/viruses-and-spyware/
trojspamtooz.html
http://www.sophos.com/security/analyses/viruses-and-spyware/
trojspamtoou.html
http://vil.nai.com/vil/content/v_141590.htm
http://www.precisesecurity.com/computer-virus/tms-feb0709.htm

Comments

Add New

RSS

sandy - useful information

IP:59.97.176.32 | 2008-06-16 12:03:00

i guess most of our PC's are infected with such viruses and trojans. Thanx a lot for keeping us up to date about such trojans. Keep up the good work.

Reply | Quote

Last Updated ( Saturday, 11 December 2010 )

< Prev		Next >

[ Back ]

Other Articles By Same Author
What would the perfect phishing attack from a social engineering perspective? Hunger is the best sauce - Dab Chingri Malai Curry Ekhaneo injectioner jala.....!!!!! Feeling Hungry - How About A Plate of Biriyani BMW 5-SERIES FOR INDIA.....wow!! Multiple vulnerabilities in Apple QuickTime 7.x

Powered by JoomlaCommentCopyright (C) 2006 Frantisek Hliva. All rights reserved.Homepage: http://cavo.co.nr/