Home / malware Spammer:Win32/Cetsiol.A
First posted on 24 December 2014.
Source: MicrosoftAliases :
There are no other names known for Spammer:Win32/Cetsiol.A.
Explanation :
Threat behavior
Installation
This threat can be installed by other malware, such as Win32/Emotet.
It does not create any registry entries or install any executable files, except for the following .bat file that it uses to delete itself after it has run:
- %APPDATA% \_tmpxqr.bat
Payload
Sends spam emails
The malware can connect to the following remote hosts through HTTP to retrieve configuration information:
- 158.255.238.163
- 5.39.87.21
- ajeyftrjqeashgda.mobi
- bardubar.com
- cryspellingslaveseducation.eu
- likesomessfortelr.eu
- mail.ps4hacked.es
- qwuyegasd3edarq6yu.org
- thehappylattersforallpeopleoftheworld.eu
- www6067ug.sakura.ne.jp
The configuration information includes instructions for sending spam emails, including previously stolen email accounts and passwords. The malware logs into the stolen accounts and sends spam emails that include links to download Trojan:Win32/Emotet.C:
Analysis by Steven Zhou
Symptoms
Alerts from your security software might be the only symptom.
Last update 24 December 2014
