There aren't any obvious symptoms of this malware, except increased internet activity;
Please let BitDefender delete your malware files.
Vlad Constantin Ilie, virus researcher
The trojan reads from http://[BLOCKED]/wemail/index.php a custom script which it tries to interpret.
The script provides the following main actions:
- logon into an existing email account (@hotmail, @yahoo or @30gigs);
- read from http://[BLOCKED]/base.php coded information about an email to send (To:, Cc:, Subject:, Body:);
- decode the email and send it;
- try to create new email account(@hotmail, @30gigs, @google);
Email accounts have the following pattern:
- <Name1><RandNo1><Name2><RandNo2>@hotmail.com - firstname.lastname@example.org
- <Name1><Name2><RandNo>@yahoo.com - ClaudiaWilder85@yahoo.com
- <Name1><Name2>@yahoo.com - LeonardFernandez@yahoo.com
Example of emails send:
Subject: many RX its
Date: Wed, 4 Jul 2007 17:42:06 +0000
if The most used,medical,products 4 you
Dont waste U chance visit: http://[BLOCKED]xyf.cn
what Djibouti now that itself Tanisha except Melody no one Alvarez
along Ava since inside out of Chacon whether...or Marsha under Nellie
because Holliday your when Boyd its Samuel everything Dick
Subject: itsPILLZ Wise
Date: Thu, 5 Jul 2007 13:53:40 +0000
R!se and sh!ne!
myself Canadian phaaarmaaaacy for you!
Check it: http://[BLOCKED]kyli.info
behind Kelvin after they Medeiros theirs Villarreal along, Alston
among Angelita, mine its Marino!! after Sherry you Garland
off Malawi nor if