Follow:

You have been re-routed to the Spammer:Win32/Clodpuntor.A write up because Spammer%3aWin32%2fClodpuntor.A has been renamed to Spammer:Win32/Clodpuntor.A
 

Spammer:Win32/Clodpuntor.A


Spammer:Win32/Clodpuntor.A is a trojan that sends spam e-mail.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Threat behavior

Spammer:Win32/Clodpuntor.A is a trojan that sends spam e-mail.
Installation
When executed, it copies itself to %windows%\taskmon.exe from where it is then executed. It also modifies the registry to execute this copy at each Windows start:
 
Adds value: taskmon
With data: "%windows%\taskmon.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
It also creates the mutex {v4085-4ccc49fb-e033-4a64-8adf-e648a658f798} to ensure that multiple copies of the trojan do not run simultaneously.
Payload
Modifies System Security Settings
Spammer:Win32/Clodpuntor.A adds itself (%windows%\taskmon.exe) as an 'allowed program' to the Windows firewall by invoking "netsh".
 
Contacts Remote Hosts/Downloads Files
Win32/Clodpuntor contacts a remote host to determine if there is a newer version of itself available, and performs an update if required.
 
Win32/Clodpuntor attempts to determine if it is able to perform outbound connection on TCP port 25
During this process, various DNS lookups are initiated to hosts such as:
 
hotmail.com
yahoo.com
smtp.yahoo.com
relay.yahoo.com
mxs.yahoo.com
mx1.yahoo.com
mx.yahoo.com
mail.yahoo.com
mail1.yahoo.com
gate.yahoo.com
 
Sends Spam E-mail
Win32/Clodpuntor also contacts 208.101.56.102 in order to retrieve the data it uses to construct spam e-mails. This includes the content of the e-mail itself as well as a list of e-mail addresses to send to.
 
Analysis by Scott Molenkamp

Symptoms

System Changes
The following system changes may indicate the presence of Spammer:Win32/Clodpuntor.A:
  • Presence of the following file:
    %windows%\taskmon.exe
  • Presence of the following registry modification:
    Adds value: taskmon
    With data: "%windows%\taskmon.exe"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Mar 25, 2008
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • WORM_NUCRYPT.GEN (Trend Micro)