Spam-Mailbot.f

-- Update April 09, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.heise-online.co.uk/news/The-Kraken-a-botnet-bigger-than-Storm--/110503

--

This variant may be detected as Spam-Mailbot in earlier DATs.

Spam-Mailbot.f will install itself as a system service "Print Spooler Service". Once installed, it will send spam to multiple SMTP servers. It will collect email information in the local machine. It can also modify tcpip.sys to increase tcp connection limit. It can connect to servers to download and run other malware.

The following keys were added:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kwqez: "C:\WINDOWS\system32\kwqez.exe"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiku90au6mysy\Security\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiku90au6mysy\Type: 0x00000010
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiku90au6mysy\Start: 0x00000002
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiku90au6mysy\ErrorControl: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiku90au6mysy\ImagePath: "C:\WINDOWS\system32\kwqez.exe /service"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiku90au6mysy\DisplayName: "Print Spooler Service"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aiku90au6mysy\ObjectName: "LocalSystem"

The trojan will write itself to the following folder with a random filename:

• %SYSTEM%\kwqez.exe

It will also attempt to connect to dynamic sites in the following domains:

• mooo.com
• dynserv.com
• yi.org
• dyndns.org

(where %SYSTEM% is the Windows system folder e.g. C:\WINDOWS\system32)

• Presence of previously mentioned registry keys.
• Presence of unexpected network connections to previously mentioned URLs.
• Presence of previously mentioned files.

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial.  Distribution channels include IRC, peer-to-peer networks, newsgroup postings, email, etc

All Users:

Please use the following instructions for all supported versions of Windows to remove threats and other potential risks:

1.Disable System Restore .

2.Update to current engine and DAT files for detection and removal.

3.Run a complete system scan.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

1. Please go to the Microsoft Recovery Console and restore a clean MBR.

On windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions
Reset and remove the CD from CD-ROM drive.