Follow:

 

Trojan:Win32/Nedsym.A


Trojan:Win32/Nedsym.A is a trojan that distributes spam email messages. It also collects information about the affected computer, and sends it back to its command and control (C&C) server.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Nedsym.A is a trojan that distributes spam email messages. It also collects information about the affected computer, and sends it back to its command and control (C&C) server.

Installation

Trojan:Win32/Nedsym.A may be distributed through compromised websites. In the wild, we have observed the trojan being installed using the following file name:

  • extdrvr.exe
Payload

Contacts remote host & distributes spam

Trojan:Win32/Nedsym.A retrieves configuration data from its C&C server "spm.freecj.com". This data contains information on spam templates and what Simple Mail Transfer Protocol (SMTP) server it can use.  

Trojan:Win32/Nedsym.A also reports the following information back to its C&C server.

  • Bot id                          
  • Computer name
  • Computer speed
  • System uptime
  • Number of successful sent mail
  • Number of failed sent mail
  • Number of sent mails without receive or reject confirmation
  • Percentage of delivery                          
  • Time of last email sent     
  • Last SMTP server used

This trojan has a built-in SMTP engine and can be used to send bulk unwanted email (spam).

Additional information

The trojan uses the following access pages to communicate with the C&C server:

  • /reportmy.php
  • /sendto.php
  • /error.php?  

 

Analysis by Zarestel Ferrer


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:

    extdrvr.exe
  • 

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Apr 11, 2008
This entry was updated on: May 09, 2011

This threat is also detected as:
No known aliases