Trojan.Spammer.HotLan.A
SYMPTOMS: There aren't any obvious symptoms of this malware, except increased internet activity;TECHNICAL DESCRIPTION: The trojan reads from http://[BLOCKED]/wemail/index.php a custom script which it tries to interpret.The script provides the following main actions: - logon into an existing email account (@hotmail, @yahoo or @30gigs); - read from http://[BLOCKED]/base.php coded information about an email to send (To:, Cc:, Subject:, Body:); - decode the email and send it; - try to create new email account(@hotmail, @30gigs, @google); Email accounts have the following pattern: - <Name1><RandNo1><Name2><RandNo2>@hotmail.com - swift3409494vlad45@hotmail.com - <Name1><Name2>@yahoo.com - LeonardFernandez@yahoo.com Example of emails send: #1 Subject: many RX its Date: Wed, 4 Jul 2007 17:42:06 +0000 if The most used,medical,products 4 you Dont waste U chance visit: http://[BLOCKED]xyf.cn what Djibouti now that itself Tanisha except Melody no one Alvarez along Ava since inside out of Chacon whether...or Marsha under Nellie because Holliday your when Boyd its Samuel everything Dick #2 Subject: itsPILLZ Wise Date: Thu, 5 Jul 2007 13:53:40 +0000 R!se and sh!ne! myself Canadian phaaarmaaaacy for you! Check it: http://[BLOCKED]kyli.info behind Kelvin after they Medeiros theirs Villarreal along, Alston among Angelita, mine its Marino!! after Sherry you Garland off Malawi nor if Removal instructions: Please let BitDefender delete your malware files.ANALYZED BY: Vlad Constantin Ilie, virus researcher |
