You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Spamta.WF

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Spamta.WF sends the Trojan detected as SpamtaLoad.BL via email in a message with the following characteristics:

  • Subject: one of the following:
    Error
    Good day
    hello
    Mail Delivery System
    Mail server report.
    Mail Transaction Failed
    picture
    Server Report
    Status
    Test
  • Message: one of the following:
    Message 1
    Mail server report.

    Our firewall determined the e-mails containing worm copies are being sent from your computer.

    Nowadays it happens from many computers, because this is a new virus type (Network Worms).

    Using the new bug in the Windows, these viruses infect the computer unnoticeably.
    After the penetrating into the computer the virus harvests all the e-mail addresses and sends the copies of itself to these e-mail
    addresses

    Please install updates for worm elimination and your computer restoring.

    Best regards,
    Customers support service

    Message 2
    Mail transaction failed. Partial message is available.

    Message 3
    The message contains Unicode characters and has been sent
    as a binary attachment.

    Message 4
    The message cannot be represented in 7-bit ASCII encoding
    and has been sent as a binary attachment
  • Attached file: it can be formed by one of the following names and two extensions:
    BODY
    DATA
    DOC
    DOCS
    DOCUMENT
    FILE
    MESSAGE
    README
    TEST
    TEXT
    being the first one, any of the following:
    DAT
    ELM
    LOG
    MSG
    TXT
    and the second one any of the following:
    CMD
    DAT
    EXE
    PIF
    SCR
  • These files belong to Trj/SpamtaLoad.DW.

Infection strategy 

Spamta.WF creates the following files:

  • HPSYS32.EXE, in the Windows directory. This file is a copy of the worm.
  • E1LL, in the Windows system directory.

 

Spamta.WF creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    hpsys = %windir%\hpsys32.exe s
    where %windir% is the Windows directory.
    By creating this entry, Spamta.WF ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Windows
    AppInit_DLLs = e1.dll
    By creating this entry, Spamta.WF ensures that the DLL (Dynamic Link Library) mentioned in it (E1.DLL) is loaded by each Windows application that runs in the current log on session.

Means of transmission 

Spamta.WF reaches the computer downloaded by Trj/SpamtaLoad.DW.

Further Details  

Spamta.WF is written in the programming language Visual C++ v7. This worm is 134,784 bytes in size.