Home / malware HackTool:Win32/SmptMailStress
First posted on 25 January 2016.
Source: MicrosoftAliases :
There are no other names known for HackTool:Win32/SmptMailStress.
Explanation :
Installation
This threat can create files on your PC, including:
- %ProgramFiles%\quickmail\uninsfiles\botva2.dll
- %ProgramFiles%\quickmail\uninsfiles\callbackctrl.dll
- %ProgramFiles%\quickmail\uninsfiles\unins000.exe
- %ProgramFiles%\quickmail\uninsfiles\webctrl.dll
- %ProgramFiles%\quickmail\uninsfiles\wlistviewex.dll
- %ProgramFiles%\quickmail\uninsfiles\wsysinfo.dll
- %ProgramFiles%\quickmail\quickmailhtml.exe
- %TEMP%\is-8f72v.tmp\_isetup\_shfoldr.dll
- %TEMP%\is-8f72v.tmp\botva2.dll
- %TEMP%\is-8f72v.tmp\wsysinfo.dll
The malware uses code injection to make it harder to detect and remove. It can inject code into running processes.
Payload
Connects to a remote host
We have seen this threat connect to a remote host, including:Malware can connect to a remote host to do any of the following:
- count.ebara.cc using port 80
- ip.taobao.com using port 80
- update.ttu998d.com using port 80
- Check for an Internet connection
- Download and run files (including updates or other malware)
- Report a new infection to its author
- Receive configuration or other data
- Receive instructions from a malicious hacker
- Search for your PC location
- Upload information taken from your PC
- Validate a digital certificate
Creates an uninstaller
This threat can create an uninstaller by modifying the registry. For example:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\QuickMail_is1
Sets value: "Comments"
With data: "quickmail"
Sets value: "DisplayIcon"
With data: "%ProgramFiles%\quickmail\quickmail.exe"
This malware description was published using automated analysis of file SHA1 b2b7113329cd50d9b77f2d5a23053ab463ec343a.Last update 25 January 2016
