A mail worm distributed via file exchange services. Links to these services are spread through emails titled “Re: From Otvety@Mail.Ru” («Ответы@Mail.Ru»). The worm is a RAR archive containing the setup.exe executable file and the readme.doc document. The encrypted malware is stored in this document.
The file containing the malicious program is decrypted and saved to %Program%\WinRar\fmt.dll. DLL decrypts the executable file and runs it. Then it copies itself to %Program%\WinRar\MDM.exe and specifies the following parameters in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MDM.exe=%Program%\WinRar\MDM.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA=0, EnableSecureUIAPaths=0
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA ValueType=0
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA=0, EnableSecureUIAPaths=0
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA ValueType=0
S-1-5-21-16274667-177076454-568880354-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA=0The Trojan creates the mutex bd0dd71ed66691fa2a25ebaea3738013, which indicates the end of the installation, and runs mdm.exe.
Payload
Mdm.exe gets the country-related information via 2ip.ru and gathers the data on the OS and the hard drive serial number. Then it downloads the alqon.exe program, gets the configuration file containing email and SMTP server connection parameters. Once it establishes a connection to the smtp.mail.ru server, Win32.HLLM.MailSpamer initiates a mass mailing using the parameters specified in the configuration file. Moreover, the Trojan can send emails using web interface.
