Home / malwarePDF  

Trojan.Spambot.AZ


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Trojan.Spambot.AZ is also known as Trojan.Spabot.

Explanation :

This is a trojan which:
stops, disables and deletes the following services: wscsvc (Security Center service; a service that displays notifications about the firewall and antivirus software installed on the computer); SharedAccess (Windows Firewall service); kavsvc;


SAVScan;

Symantec Core LC; navapsvc; wuauserv (Auto Update Service). deletes the registry keys that would allow Kaspersky AntiVirus to start after each reboot: SoftwareMicrosoftWindowsCurrentVersionRunKAVPersonal50;

continuously searches for notification windows displayed by various firewall applications and closes them. In this way, the trojan bypasses some security applications by telling them that the user allows this program to connect to various Internet addresses (the list of the firewalls that this trojan tries to trick is: ZoneAlarm, Outpost1, Outpost2, Outpost3, Sygate Personal Firewall Pro, WinRoute, McAfee Personal Firewall);

sends reports about its actions to a server having the IP 211.233.58.116; self assigns the rights to bypass the firewall service provided by SharedAccess by adding itself to the following registry key: SYSTEMCurrentControlSetServicesSharedAccessParameters FirewallPolicyStandardProfileAuthorizedApplicationsList chooses randomly one of the following web domain and determines the mail (SMTP) server of that domain: gmail.com yahoo.com netscape.com aol.com hotmail.com is remotely controlled in order to send spam to the chosen mail server.

Last update 21 November 2011

 

TOP