Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLM.MailSpamer

Added to the Dr.Web virus database: 2011-10-24

Virus description added:

A mail worm distributed via file exchange services. Links to these services are spread through emails titled “Re: From Otvety@Mail.Ru” («Ответы@Mail.Ru»). The worm is a RAR archive containing the setup.exe executable file and the readme.doc document. The encrypted malware is stored in this document.

The file containing the malicious program is decrypted and saved to %Program%\WinRar\fmt.dll. DLL decrypts the executable file and runs it. Then it copies itself to %Program%\WinRar\MDM.exe and specifies the following parameters in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MDM.exe=%Program%\WinRar\MDM.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA=0, EnableSecureUIAPaths=0
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA ValueType=0
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA=0, EnableSecureUIAPaths=0
SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SeCEdit\Reg Values\MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System/EnableLUA ValueType=0
S-1-5-21-16274667-177076454-568880354-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA=0

The Trojan creates the mutex bd0dd71ed66691fa2a25ebaea3738013, which indicates the end of the installation, and runs mdm.exe.

Payload

Mdm.exe gets the country-related information via 2ip.ru and gathers the data on the OS and the hard drive serial number. Then it downloads the alqon.exe program, gets the configuration file containing email and SMTP server connection parameters. Once it establishes a connection to the smtp.mail.ru server, Win32.HLLM.MailSpamer initiates a mass mailing using the parameters specified in the configuration file. Moreover, the Trojan can send emails using web interface.

The Russian developer of Dr.Web anti-viruses
Doctor Web has been developing anti-virus software since 1992
Dr.Web is trusted by users around the world in 200+ countries
The company has delivered an anti-virus as a service since 2007
24/7 tech support

Dr.Web © Doctor Web
2003 — 2021

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124