W32/Mespam Trojan

 Virus Information - W32/Mespam Trojan:

W32/Mespam is a trojan. The trojan will infect Windows systems.

The trojan may be downloaded by other malware or it may be spammed out through malicious Instant Messengers or emails.

Upon execution, the trojan copies rsvp32_2.dll and sporder.dll in the Windows System folder.

Then it registers rsvp32_2.dll as a layered service provider (LSP) allowing the trojan to execute each time the network device is initialized and has a direct access to the network stream.

It modifies the registry at the following location to register itself as an LSP;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters
HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert

It then contacts the following URL to retrieve the message to be spammed out through instant message applications:

[http://]66.148.74.7/zc.[REMOVED]

The trojan saves the message in any of the following files in the Windows System folder:

aosmx.dll
aimsmx.dll
ymsgsmx.dll
gtalsmx.dll
pfxzmtaim.dll
pfxzmtforum.dll
pfxzmtgtal.dll
pfxzmticq.dll
pfxzmtsmt.dll
pfxzmtsmtspm.dll
pfxzmtwbmail.dll
pfxzmtymsg.dll

The trojan opens instant message windows with the downloaded message to make the message appear more legitimate. This trojan can currently recognize and use the following IM client connections:

AOL Instant Messenger
Google Talk
Yahoo! Messenger

It injects the above-mentioned message into emails sent via webmail from the following providers:

AOL
Bellsouth
Care2
Comcast
Earthlink
FastMail
Gmail
Hotmail
Lycos
mail.com
mail.ru
Rambler
Tiscali
Yahoo

The trojan also injects the above-mentioned message into web forums when creating a new post.