Trojan Spambot (ADS) - KernelMode.info

Re: Rootkit ADS

#4096 by EP_X0FF
Wed Dec 22, 2010 10:11 am

This is Trojan Spambot.

id GetNetworkParams iphlpapi.dll Content-Length: %s%s%s%s %d%.2d%.2d%.2d%.2d%.2d.%d.qmail@%s RCPT TO: <%s>
250 MAIL FROM: <%s>
HELO %s
220 Connecting %s ...
RECEIVED $QM_%s MESSID $TIME $DATE %d:%d:%d %d.%d.%d @@RECEIVED @@DATE (qmail %d by uid %d); %s, %d %s %d %d:%d:%d %.4d %s, %.2d %s %d %.2d:%.2d:%.2d %.4d @@BOUNDARY @@MESSAGE_ID @@FROM_NAME @@FROM_EMAIL > " <
From: From: @@TO_%s EMAIL $TO_%s NAME @ </body> <body> QM_MESSID QM_RECEIVED REAL_IP TO_EMAIL mail.com google.com aol.com yahoo.com hotmail.com ntdll NtQueryInformationProcess
<emails> </%s <text> <info> style= hostname= realip= taskid= dnsdos: dos: click: run%d%s MZ run: %supdate%d%s \ GET / ; update: </%s>
<%s> config &errors[%d]=%d &errors[0]=%d id=%s&tick=%d&ver=%d&smtp=%s&task=%d&continue=1 bad ok id=%s&tick=%d&ver=%d&smtp=%s&task=%d explorer.exe: Explorer EXPLORER explorer winlogon InternetQueryOptionA InternetCloseHandle HttpQueryInfoA HttpSendRequestA HttpOpenRequestA InternetConnectA InternetOpenA InternetReadFile DeleteFileA SystemTimeToFileTime wininet.dll dnsapi.dll ws2_32.dll Advapi32.dll Kernel32.dll LoadLibraryA Kernel32 %s.%s http://
userini 100 195.190.13.78 8103 /blog/candy.php
remove
\\?\globalroot\systemroot\system32
Software\Microsoft\Windows\CurrentVersion\Explorer
Software\Microsoft\Windows\CurrentVersion\run
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) ; QUIT
DATA RSET
----=_NextPart_%03d_%04X_%08.8lX.%08.8lX %04x%08.8lx$%08.8lx$%08x@%s alternative
77.220.232.44

Runs as C:\WINDOWS\explorer.exe:userini.exe through listed above registry keys (all three seems to be just for sure).

No rootkit functionality found.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact