Spammer:Win32/Clodpuntor.A is a trojan that sends spam e-mail.
Installation
When executed, it copies itself to %windows%\taskmon.exe from where it is then executed. It also modifies the registry to execute this copy at each Windows start:
Adds value: taskmon
With data: "%windows%\taskmon.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also creates the mutex {v4085-4ccc49fb-e033-4a64-8adf-e648a658f798} to ensure that multiple copies of the trojan do not run simultaneously.
Payload
Firewall Modification
Spammer:Win32/Clodpuntor.A adds itself (%windows%\taskmon.exe) as an 'allowed program' to the Windows firewall by invoking "netsh".
Contacts Remote Hosts/Downloads Files
Win32/Clodpuntor contacts a remote host to determine if there is a newer version of itself available, and performs an update if required.
Win32/Clodpuntor attempts to determine if it is able to perform outbound connection on TCP port 25
During this process, various DNS lookups are initiated to hosts such as:
hotmail.com
yahoo.com
smtp.yahoo.com
relay.yahoo.com
mxs.yahoo.com
mx1.yahoo.com
mx.yahoo.com
mail.yahoo.com
mail1.yahoo.com
gate.yahoo.com
Sends Spam E-mail
Win32/Clodpuntor also contacts 208.101.56.102 in order to retrieve the data it uses to construct spam e-mails. This includes the content of the e-mail itself as well as a list of e-mail addresses to send to.
Analysis by Scott Molenkamp
