Usually, when a computer is infected with adware/spyware or other
malicious programs we expect to see the common symptoms. Programs
will crash, unusual messages will display, pop-up ads will appear,
or common utilities will not function properly. Recently I ran across
two malware programs that did not exhibit any of these symptoms.
The actions that are being taken by malware programs that we can
not see can be quite harmful as well.
The two programs I discovered recently with none of the normal
symptoms were running in the background and using the computers
internet connection to send out spam e-mail. A company or person
wanting to send out spam e-mails would want to use another person’s
internet connection to do so, so that they would be less likely
to be discovered as the source of the spam.
The first of these two programs, 'Malware.sndmixex' is the least
sophisticated of the two. It still manages to send out its e-mails
without making itself visible to the PC user. This program seems
to use and target Yahoo.com e-mail addresses. Without launching
an internet browser, it logs into mail.yahoo.com with rogue e-mail
accounts and sends out spam e-mails to multiple addresses. It downloads
address lists and spam messages to send out. When I installed it
on my test machine, it started with addresses beginning with 'va'
The next time I checked the messages were going to addresses beginning
with 'vo'. All of the addresses were @yahoo.com. Each time I checked,
the messages were being sent from a different rogue yahoo mail account.
This is an example of an address used 'Cristy56075Saretta19579@yahoo.com'.
In the example shown here of the 'sent message' page that was created
in the background by Malware.sndmixex, I have erased parts of the
e-mail addresses so they will not be copied by others wanting to
send out spam.
The second program 'Malware.Mailspam' used a more sophisticated
system. It actually used the PC as a SMTP server. It was not using
a third party mail program such as mail.yahoo.com to send out its
messages. It was actually using the SMTP protocol and sending out
e-mails directly. This program was much more active. It was making
hundreds of connections at once and sending out many more messages.
Using the windows utility, netstat, it was easy to see how many
network connections this program was making.
After seeing all the connections being made I started monitoring
the network connections with a more sophisticated network packet
sniffer. With this sniffer I was able to see the content of the
packets being sent by malware.mailspam. Here are the some examples
of the types of messages being sent:
' Do you like refined Young schoolgirls doing fascinating . . .
' Do you want radiant sweet virgin girls. . .'
These sexually explicit messages also contained hyperlinks to try
to get the recipients of the e-mails to visit pornographic websites.
The sniffer also shows that the messages were being sent using the
Having a program like this installed on ones PC is not only damaging
to the recipients of the spam e-mail messages. Such heavy use of
ones network connection can slow it down, especially if it is not
a high bandwidth connection. A second problem is that many Internet
service providers have set a limit to the bandwidth usage allowed.
With such heavy usage of the network connection, this limit could
easily be exceeded. Another problem, especially with the Malware.mailspam
program, is that since the local PC itself is being used as a mail
server to send out spam messages, ones internet service provider
could suspend the account. It’s obvious that these programs
are unwanted. A scan with Spyware Nuker can quickly stop the malicious
program from sending out the unwanted spam messages.