I got Spam?!

Secure works has released an excellent analysis of the Ozdock/Mega-D trojan, whuch is responsible for creating and adding to the Mega-D botnet. Here is an excerpt:

Some sample Ozdok filenames are icf.exe, icf32.exe, cacglivn.exe, guyymgvl.exe and mm27nov.exe. The (phony) embedded file description is "Microsoft Internet Countermeasures Framework". The older variants usually install themselves to %windows%\system32\svchost.exe:exe.exe or a similarly named alternate data stream (ADS). These streams are hidden from normal listing in Explorer or a command shell. Startup at boottime is facilitated by the addition of a system service labeled "ICF". Additionally, the system firewall settings are modified to add svchost.exe as an authorized application. mm27nov.exe does not appear to contain code to set up persistence across reboots, so it may simply be an update intended to be executed by an existing instance of Ozdok.

Check out more here-this is a must read!

• SPAM, Viruses and the Blacklisting of Exchange Servers
• Malware Analysis: Botnets
• Spammers Use Lunar Eclipse to Deliver Malware
• GFI Adds Support for January 2008 Microsoft Security Updates
• Spammers top 10 report: US Leading the Axis of Evil!
• Security Software Industry Takes First Steps Towards Forming Anti-Malware Testing Standards Organization
• Judge Orders End to Weight Loss Spam Organization
• Botnet Source Code For Overachievers
• Using Throttling and Traffic Shaping to Fight Spam
• New Phishing Attack Masquerades as Government Alert
• Japanese Spammer Accused of Sending Over 2 Million Spams

Filed under: Malware Tags: by admin Date 29 February, 2008