Effects
Mailbot.GA carries out the following actions:
- It uses the affected computer as a platform to send spam messages massively to other computers.
- It redirects the traffic to certain Internet sites.
- It uses rootkit techniques in order to make its detection more difficult.
- It is designed to download and install instant messaging programs in the computer.
Infection strategy
Mailbot.GA creates a file called LZX32.SYS in the Windows system directory. This file hides the files and registry entries created by the worm.
Additionally, it modifies the system file called NDIS.SYS in order to bypass the Windows firewall and modify the transfer of packets through networks.
Means of transmission
Mailbot.GA uses the following means to spread:
1. Email
It reaches the computer in an email message indicating users that they have purchased an airplane ticket and that a certain sum of money has been charged intheir credit card.
The message has an attached file that seems to contains the invoince and airplane ticket.
The following image belongs to the message the worm uses to spread:
The attached file is a compressed file with a ZIP extension. Once decompressed, if the executable file is run, the computer will be affected by #nombrevirus#.
This file has the following icon:
Then, it sends this message to the contacts included in users' Adress book.
2. Instant messaging programs
It sends instant messages which contain an attached file using instant messaging programs like MSN Messenger.
Further Details
Mailbot.GA is 28,672 bytes in size.