Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Installs Anti-Virus, Removes Other Malware

Posted by ryuzaki0 on from the clever-little-monkey dept.

An anonymous reader writes "SpamThru takes the game to a new level. The new virus uses an anti-virus engine to remove potential 'rival' infectious code." From the article: "At start-up, the Trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL to avoid having Kaspersky refuse to run due to an invalid or expired license, Stewart said. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation."

2 of 202 comments (clear)

  1. Other information about this... by Admin_Jason · · Score: 5, Informative

    Naturally, this is a Windows specific little bugger. So, if you're running anything else, you should be okay. (Of course, the systems that us /.ers support are another story...) Sophos is the only vendor of the few big boys I searched that seems to have any info on this mal-ware with the "SpamThru" name. Of course, there are other variant names of this, so check with your vendor against these other possible iteratives:

    * Backdoor.Win32.Agent.uu
    * Spam-DComServ
    * TROJ_AGENT.BOR

    Removal instructions can also be found here

    --
    Just another nameless binary in a crowd of 1's and 0's
  2. Re:This is great! by scottv67 · · Score: 5, Informative

    I think that in the blaster days there was a copycat worm that downloaded the microsoft anti-blaster patch and installed it...

    That would be Welchia:
    http://www.symantec.com/security_response/writeup. jsp?docid=2003-081815-2308-99

    ...(in fact I know there was, because I got 'hit' with it).

    The only bad thing about Welchia (aside from it installing patches on your system without your permission) was that it did not throttle its traffic when it came to looking for new machines to patch. It flooded or swamped network segments as it probed new machines to work on. If Welchia had been a little more subtle with its scanning, Welchia's presence would have been less of an issue.