home | requirements | help | contact | scan now  
Hunter's Word

The Internet is filled with amazing amounts of information. There is so much to be explored and so much to learn. It would seem that this information is freely available to anyone. An informational garden of Eden.
This is not entirely the case. In this garden there are snakes at almost every click of the mouse, waiting to strike. There is always a new breed. One we did not recognize yesterday, disguised as something friendly, or necessary. Spyware and adware have moved from the shadows of software piracy and pornographic websites. I've infected computers installing
screensavers, games, listening to music, or even just browsing for information. It is not safe out there, unless someone is constantly keeping up with the newest infections and latest variants of known malicious software. We are doing just that to make sure our software is up to the task of removing the latest infections.
A Hunter's work is never done.


- 20060421 - Keyloggers
- 20060417 - VXGame
- 20060330 - Winsupdater
- 20060311 - Mailspam
- 20060228 - Hijackers
- 20060212 - Disabler
- 20060114 - INET
- 20060104 - Raze
- 20051219 - SpyAxe
- 20051205 - MsConfg
- 20051116 - NNNL
- 20051109 - KickOff

Hunter's Log: 20060311 032039


Usually, when a computer is infected with adware/spyware or other malicious programs we expect to see the common symptoms. Programs will crash, unusual messages will display, pop-up ads will appear, or common utilities will not function properly. Recently I ran across two malware programs that did not exhibit any of these symptoms. The actions that are being taken by malware programs that we can not see can be quite harmful as well.

The two programs I discovered recently with none of the normal symptoms were running in the background and using the computers internet connection to send out spam e-mail. A company or person wanting to send out spam e-mails would want to use another person’s internet connection to do so, so that they would be less likely to be discovered as the source of the spam.

The first of these two programs, 'Malware.sndmixex' is the least sophisticated of the two. It still manages to send out its e-mails without making itself visible to the PC user. This program seems to use and target e-mail addresses. Without launching an internet browser, it logs into with rogue e-mail accounts and sends out spam e-mails to multiple addresses. It downloads address lists and spam messages to send out. When I installed it on my test machine, it started with addresses beginning with 'va' The next time I checked the messages were going to addresses beginning with 'vo'. All of the addresses were Each time I checked, the messages were being sent from a different rogue yahoo mail account. This is an example of an address used ''.

In the example shown here of the 'sent message' page that was created in the background by Malware.sndmixex, I have erased parts of the e-mail addresses so they will not be copied by others wanting to send out spam.

The second program 'Malware.Mailspam' used a more sophisticated system. It actually used the PC as a SMTP server. It was not using a third party mail program such as to send out its messages. It was actually using the SMTP protocol and sending out e-mails directly. This program was much more active. It was making hundreds of connections at once and sending out many more messages. Using the windows utility, netstat, it was easy to see how many network connections this program was making.
After seeing all the connections being made I started monitoring the network connections with a more sophisticated network packet sniffer. With this sniffer I was able to see the content of the packets being sent by malware.mailspam. Here are the some examples of the types of messages being sent:
' Do you like refined Young schoolgirls doing fascinating . . . '
' Do you want radiant sweet virgin girls. . .'

These sexually explicit messages also contained hyperlinks to try to get the recipients of the e-mails to visit pornographic websites. The sniffer also shows that the messages were being sent using the SMTP protocol.

Having a program like this installed on ones PC is not only damaging to the recipients of the spam e-mail messages. Such heavy use of ones network connection can slow it down, especially if it is not a high bandwidth connection. A second problem is that many Internet service providers have set a limit to the bandwidth usage allowed. With such heavy usage of the network connection, this limit could easily be exceeded. Another problem, especially with the Malware.mailspam program, is that since the local PC itself is being used as a mail server to send out spam messages, ones internet service provider could suspend the account. It’s obvious that these programs are unwanted. A scan with Spyware Nuker can quickly stop the malicious program from sending out the unwanted spam messages.

End of Entry