Home / malware TrojanSpy:Win32/Wupdo.A
First posted on 23 August 2010.
Source: SecurityHomeAliases :
TrojanSpy:Win32/Wupdo.A is also known as Trojan.SpamBot.CAL (BitDefender), Trojan.Packed.20840 (Dr.Web), Win32/Delf.NRQ (ESET), TR/SpamBot.CAL (Avira).
Explanation :
TrojanSpy:Win32/Wupdo.A is a malware binary written in Delphi and packed with a custom packer to make analysis harder. It gathers email addresses from the affected computer and then sends out email messages to these addresses. The sent messages may contain a copy of this trojan or another malware.
Top
TrojanSpy:Win32/Wupdo.A is a malware binary written in Delphi and packed with a custom packer to make analysis harder. It gathers email addresses from the affected computer and then sends out email messages to these addresses. The sent messages may contain a copy of this trojan or another malware. Installation TrojanSpy:Win32/Wupdo.A is present in the computer as the following file:<system folder>\qtplugin.exe Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. To ensure that it automatically runs every time Windows starts, it creates the following registry entry: Adds value: "RegistryMonitor1" With data: "<system folder>\qtplugin.exe" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run It also creates the following registry entry as part of its installation routine: Adds value: "RegistryMonitor2" With data: "94432898" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Setup Payload Attempts to collect email addresses TrojanSpy:Win32/Wupdo.A gathers email addresses from the following applications: Eudora Group Mail Incredimail Mail.Ru agent Microsoft Outlook Opera PocoMail 3 PocoMail 4 Safari The Bat! Vypress Auvis Sends email messages TrojanSpy:Win32/Wupdo.A sends out email messages to its gathered addresses. The messages contain a copy of itself or another malware as an attachment. They are sent via the following SMTP servers: smtp.kuzminki.net smtp.ochakovo.net smtp.peugeot-club.org smtp.startua.com smtp.takoe.net smtp.tushino.net smtp.vyhino.net smtp.xsecurity.org The email messages appear sent from the following addresses: casdacdkk@hotmail.com cksdkcs@yahoo.com
Analysis by Daniel RaduLast update 23 August 2010
