Effects
Spammer.AOX is designed to send spam messages massively. In order to do so, it carries out the following actions:
- It reaches the computer in a file with the following icon:
- It connects to the following website in order to obtain the spam messages to be sent:
zok<blocked>ws.com - The Trojan has a list of websites which belong to SMTP servers in order to send spam messages. Some pages are the following:
aln-mail<blocked>ay.att.net
barracu<blocked>2.wintek.com
clust<blocked>mailcontrol.com
dsp1xmail<blocked>buy.com
eforward<blocked>name-services.com
filter<blocked>estimage.com
gatewa<blocked>will.com
herme<blocked>ntic.mec.es
imsmx<blocked>tvigator.com
lm-kcgatew<blocked>2.lmig.com
mail.eg<blocked>ika.net
nlpiport<blocked>rodigy.net.mx
oxalid<blocked>extra.cea.fr
pa1.te<blocked>pex.com
qs90<blocked>air.com
relay<blocked>brno.cz
s7b<blocked>smtp.com
tetrafis<blocked>hentel.net
uu194-7<blocked>86.unknown.uunet.be
vip-us<blocked>-mx.terra.com
vmail<blockedb.mclink.it
wallab<blocked>aussiehost.com
x02.i.ism<blocked>integra.net - The spam messages which it sends contain advertisements about several pharmaceutical products and a link to a website where these products can be purchased.
- The messages it sends have the same content, but the subject changes. It can be any of the following among others:
- Order Vicodin, Hydrocodone, Paracod, Codeine, Phentermin at CheapestPrice on net. 100% NoPrescription + FDA APPROVED, FedEx shipping and FREE BONUS pills with every order!
- Vicodin, Codeine, Hydrocodone, Phentermin, Valiun, Ambiem, Xanas Buy Online Safely, FedEx/UPS, NoPrescriptionNeeded - We accept MASTER CARD/VISA
- Vicodin ES, Codeine, Phentermin37,5, Hydrocodone, Ambiem, Xanas, Valiun, VERY HOT DEMANDING! VISA+MASTER ACCEPTED - An example of the message it sends is the following:
Infection strategy
Spammer.AOX creates a file with a random name in the Windows system directory. It creates this file with hidden attributes in order to make its detection more difficult.
The following is an example of the name with which it is copied to the system:
5EADFAI.EXE
Spammer.AOX creates the following entries en el Windows Registry, in order to be automatically run whenever Windows is started:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
fie1l = %sysdir%\5eadfai.exe
where %sysdir% is the Windows system directory. - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Taskman = %sysdir%\5eadfai.exe
Spammer.AOX modifies the following Windows Registry entry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
Shell = explorer.exe,
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
Shell = explorer.exe,%sysdir%\5eadfai.exe,
By modifying this entry, Spammer.AOX ensures that it is run whenever Windows is started.
Means of transmission
Spammer.AOX does not spread automatically using its own means. It needs an attacking user's intervention in order to reach the affected computer. The means of transmission used include, among others, removable drives like USB keys, CD-ROMs, email messages with attached files, Internet downloads, FTP, IRC channels, peer-to-peer (P2P) file sharing networks, etc.
Further Details
Spammer.AOX is written in the programming language Visual C++. This Trojan is 44,544 bytes in size.