McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

Spam-Mailbot.c

This page shows details and results of our analysis on the malware Spam-Mailbot.c

Threat Detail

Malware Type: Trojan

Malware Sub-type: Rootkit

Discovery Date: 2006-07-03

Next Steps:

Overview

Spam-Mailbot.c implements advanced rootkit techniques to hide its presence. It hides into Alternate Data Streams and have functionality to send spam e-mails. This trojan also displays backdoor capabilities by running its code within the context of services.exe.  


Minimum DAT

4798 (2006-07-03)

Updated DAT

5855 (2010-01-08)

 Minimum Engine

5.1.00

File Length

N/A

 Description Added

2006-07-19

Description Modified

2006-07-19

Malware Proliferation

Characteristics

System Changes

Files Added

  • %WINDIR%\system32:lzx32.sys (Detected as Spam-Mailbot.c!Rootkit)

Registry

The following registry keys are created:

  • hkey_local_machine\system\currentcontrolset\services\pe386
    \security
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \imagepath="\??\%WINDIR%\System32:lzx32.sys"
  • hkey_local_machine\system\currentcontrolset\services\pe386\start
    ="1"
  • hkey_local_machine\system\currentcontrolset\services\pe386\group
    ="Base"
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \extparam=""
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \security\security="(binary registry data)
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \errorcontrol="0"
  • hkey_local_machine\system\currentcontrolset\services\pe386\type
    ="1"
  • hkey_local_machine\system\currentcontrolset\services\pe386
    \displayname="Win23 lzx files loader"

Other characterstics

  1. Attempts to hide from the processes containing the following strings.
    • Rootkitrevealer
    • BlackLight
    • Rkdetector
    • gmer.exe
    • endoscope.EXE
    • DarkSpy
    • Anti-Rootkit
  2. Contains the following string which suggests the rootkit is still in development phase and we may see more variants.
    • "Z:\New Projects\spambot\last_beta\driver\objfre\i386\driver.pdb"
  3. May create a temporary log file at
    • %Windir%\Temp\<RANDOM>.tmp.log

 

Symptoms

It may open random TCP ports within the context of legitimate "Services.exe" process.

Attempts to contact following URLs

  • www.google.com
  • ftp.icq.com
  • maila.microsoft.com
  • 208.66.194.14/index.php?page=main

     

    • Method of Infection

    Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

    Removal

    All Users:

    Manual Removal Instructions

    1. Reboot your system using the Windows Recovery Console
    2. Select R to start the Recovery Console.
    3. At the recovery console command prompt type DISABLE pe386
    4. Type Exit
    5. Rescan the system with latest DATs upon reboot.

    Additional Windows ME/XP removal considerations

    Variants

    United States - English