Home / malware Spammer:Win32/Junintian.A
First posted on 14 February 2017.
Source: MicrosoftAliases :
There are no other names known for Spammer:Win32/Junintian.A.
Explanation :
This threat is a spammer Trojan. It connects to the following IP address to retrieve commands and settings that it uses for its spamming activity:
- 91.220.131.93 via UDP port 50014
From the said IP address, it can:
- Download mailing list
- Download proxies
- Download settings
We have seen this threat use the following SMTP servers to send out spam:
- external.newsubdomain.com
- group21.345mail.com
- m1.gns.snv.thisdomainl.com
- mail.gimmicc.net
- mail.naihautsui.co.kr
- mail.webhostings4u.com
- mailout.endmonthnow.com
- mmx09.tilkbans.com
- mtu23.bigping.com
- mx.reskind.net
- mx03.listsystemsf.net
- mxs.perenter.com
- nntp.pinxodet.net
- public.micromail.com.au
- qnx.mdrost.com
- qrx.quickslick.com
- relay.2yahoo.com
- relay37.vosimerkam.net
- rly04.hottestmile.com
- rsmail.alkoholic.net
- smtp.doneohx.com
- smtp.endend.nl
- smtp.mixedthings.net
- smtp18.yenddx.com
- smtp4.cyberemailings.com
- smtp-server1.cfdenselr.com
- snmp.otwaloow.com
It adds itself as a service by adding the following registry entries:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\s3svc
Sets value: "EventMessageFile"
With data: ""
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\s3svc
Sets value: "TypesSupported"
With data: "0x00000007" (REG_DWORD)
Analysis by Francis Tan SengLast update 14 February 2017
