Trojan Win32 Mespam
1. Summary:
Mespam is a trojan horse that gets installed into the system as a LSP – “Layered Service Provider”. Through an IM (Instant Messenger) client it sends messages with an URL that includes the standalone body of the trojan.
2. Detailed description:
Mespam is 49kB long and it usually get wither downloaded by other trojan horse or infects the computer by user clicking on the infected messages in it's IM.
After it's execution, the Mespam drops following files into the system directory:
%SYSTEM%\rsvp32_2.dll
%SYSTEM%\sporder.dll
The file „rsvp32_2.dll“ registers as another LSP („Layered Service Provider“) provider. As a LSP it has a direct access to the local network and/or the Internet at a lower level. Some firewalls are also registered as a LSP.
Afterwards it modifies Winsock parameters through the registry:
[HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters]
It creates:
[HKLM\SOFTWARE\WinSock2\Buibert]
It writes some installation related information here.
.
It creates following files:
%SYSTEM%\aosmx.dll
%SYSTEM%\aimsmx.dll
%SYSTEM%\ymsgsmx.dll
%SYSTEM%\gtalsmx.dll
these files are the storage of sent IM messages.
3. Spreading:
As mentioned before, Mespam spreads by sending an IM with a URL. After the victim visits this URL the body of the trojan gets executed. The text of the message is allways downloaded from the Internet and is pretty much unique.
It can send messages through these clients:
AOL Instant Messenger
Google Talk
Yahoo! Messenger
4. Cleaning:
- Reboot the PC into the safe mode.
- Remove this registry key:
[HKLM\SOFTWARE\WinSock2\Buibert]
Download the „LSP Fix“ program. Run it and remove the LSP provider named „rsvp32_2.dll“.
WARNING
By manipulating the LSP providers in an improper manner you may disable some network functionality. If this happends you will have to reinstall the TCP/IP protocol.
- Reboot the PC into the safe mode again.
- Delete these files:
%SYSTEM%\rsvp32_2.dll
%SYSTEM%\aosmx.dll
%SYSTEM%\aimsmx.dll
%SYSTEM%\ymsgsmx.dll
%SYSTEM%\gtalsmx.dll
- Reboot the PC into the normal mode.
0 writebacks [03/02/2007 12:23]
[]
permanent link
|
