Trojan Mespam

Original issue date: June 05, 2008

It has been observed that a Trojan named Mespam is circulating widely. It gets dropped by Storm Worm /Trojan Peacomm Variants
or propagates through malicious links which are embedded within Internet Messenger, e-mails, forum posts.The Trojan communicates via HTTP to certain remote websites to download the message body. This message body appears to be legitimate which tricks users to click upon the link provided within the abovesaid mediums to download malware onto the system.

After execution, the Trojan registered itself as Layered Service Provider which allows it to run each time the network device gets initialized.

A Layered Service Provider is a DLL that uses Winsock APIs to insert itself into the TCP/IP stack. Once in the stack, a Layered Service Provider can intercept and modify all inbound and outbound Internet traffic. It could be used by a computer security program, which analyzes the traffic in search for viruses or other threats before transferring it to the final application of the traffic.

The below mentioned contents can be within the body of e-mail, Internet Messenger, Web Forums

LOL ;-) http://66 DOT 148 DOT 74 DOT 7/ag.[REMOVED]

have you seen this? http://mailfreepostcards DOT com/funvid[REMOVED]

Aliases: Troj/SpamToo-U [Sophos], Spam-Mespam [McAfee], WORM_ZHELATIN.CH [Trend], Troj/SpamToo-X [Sophos]

Upon execution, the Trojan :

• Drops the following files
  • %System%\rsvp32_2.dll - the dropped LSP DLL
  • %System%\sporder.dll - clean DLL
• Registers %System%\rsvp32_2.dll as a layered service provider (LSP) to run each time the network device is initialized
• Creates the following registry entry to store installation related information:
  • HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert
• Creates the following mutex to ensure that only one instance is run on the victim machine.
  • Global\iowerjfgiowejroigeu894389
• Contacts the following URL to retrieve the message to be spammed out through instant message applications:
  • http://66 DOT 148 DOT 74 DOT 7/zc.[REMOVED]
• Saves message in one or more of the following files:
  • %System%\aosmx.dl
  • %System%\aimsmx.dll
  • %System%\ymsgsmx.dll
  • %System%\gtalsmx.dll
  • %System%\pfxzmtaim.dll
  • %System%\pfxzmtforum.dll
  • %System%\pfxzmtgtal.dl
  • %System%\pfxzmticq.dll
  • %System%\pfxzmtsmt.dll
  • %System%\pfxzmtsmtspm.dll
  • %System%\pfxzmtwbmail.dll
  • %System%\pfxzmtymsg.dll
• Uses any of the webmail services to sent e-mail messages:
  • AOL
  • Bellsouth
  • Care2
  • Comcast
  • Earthlink
  • FastMail
  • Gmail
  • Hotmail
  • Lycos
  • mail.com
  • mail.ru
  • Rambler
  • Tiscali
  • Yahoo

In view of rapid propagation of the Mespam Trojan, users are advised to implement the following countermeasures:

• Search for the malicious files and processes created/initiated by the Trojan and delete the same.
• Search for the registry entries mentioned above made by the Trojan and delete the same.
• Do not visit the untrusted links embedded within Internet Messenger, e-mails, forum posts.
• Block access to the malicious domain mentioned above at gateway.
• Keep up-to-date patches and fixes on the operating system and application software.
• Keep up-to-date Antivirus and Antispyware signatures.

 References

http://www.symantec.com/security_response/writeup.jsp?
docid=2007-020915-2914-99&tabid=2
http://www.sophos.com/security/analyses/viruses-and-spyware/
trojspamtooz.html
http://www.sophos.com/security/analyses/viruses-and-spyware/
trojspamtoou.html
http://vil.nai.com/vil/content/v_141590.htm
http://www.precisesecurity.com/computer-virus/tms-feb0709.htm

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003