Home / malwarePDF  

Spammer:Win32/Junintian.A


First posted on 14 February 2017.
Source: Microsoft

Aliases :

There are no other names known for Spammer:Win32/Junintian.A.

Explanation :

This threat is a spammer Trojan. It connects to the following IP address to retrieve commands and settings that it uses for its spamming activity:

  • 91.220.131.93 via UDP port 50014


From the said IP address, it can:
  • Download mailing list
  • Download proxies
  • Download settings


We have seen this threat use the following SMTP servers to send out spam:
  • external.newsubdomain.com
  • group21.345mail.com
  • m1.gns.snv.thisdomainl.com
  • mail.gimmicc.net
  • mail.naihautsui.co.kr
  • mail.webhostings4u.com
  • mailout.endmonthnow.com
  • mmx09.tilkbans.com
  • mtu23.bigping.com
  • mx.reskind.net
  • mx03.listsystemsf.net
  • mxs.perenter.com
  • nntp.pinxodet.net
  • public.micromail.com.au
  • qnx.mdrost.com
  • qrx.quickslick.com
  • relay.2yahoo.com
  • relay37.vosimerkam.net
  • rly04.hottestmile.com
  • rsmail.alkoholic.net
  • smtp.doneohx.com
  • smtp.endend.nl
  • smtp.mixedthings.net
  • smtp18.yenddx.com
  • smtp4.cyberemailings.com
  • smtp-server1.cfdenselr.com
  • snmp.otwaloow.com


It adds itself as a service by adding the following registry entries:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\s3svc
Sets value: "EventMessageFile"
With data: ""

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\s3svc
Sets value: "TypesSupported"
With data: "0x00000007" (REG_DWORD)





Analysis by Francis Tan Seng

Last update 14 February 2017

 

TOP