|
Posted by Virus Guy on October 21, 2006, 12:47 pm
If you were Registered and logged in, you could reply and use other advanced thread options
http://www.secureworks.com/analysis/spamthru/
"Like many viruses and trojans, SpamThru attempts to prevent
installed anti-virus software from downloading updates by
adding entries into the %sysdir%\drivers\etc\hosts file
pointing the AV update sites to the localhost address.
In the past, we've also seen malware which tries to uproot
other competing malware on an infected system by killing
its processes, removing its registry keys, or setting up
mutexes which fool the other malware into thinking it is
already running and then exiting at start.
SpamThru takes the game to a new level, actually using an
antivirus engine against potential rivals. At startup, SpamThru
requests and loads a DLL from the control server. This DLL in
turn downloads a pirated copy of Kaspersky AntiVirus for WinGate
from the control server into a concealed directory on the
infected system. It patches the license signature check in-memory
in the Kaspersky DLL in order to avoid having Kaspersky refuse
to run due to an invalid or expired license. Ten minutes after
the download of the DLL, it begins to scan the system for malware,
skipping files which it detects are part of its own installation.
Any other malware found on the system is then set up to be deleted
by Windows at the next reboot."
| 
XML site map