The SpamThru Trojan Works Hand in Hand with Kaspersky AntiVirus

The fact that Kaspersky AntiVirus for WinGate has ended up as part of a Trojan horse has to be detrimental for the Russian antivirus maker. This is the case with SpamThru Trojan that, according to an analysis performed by SecureWorks, uses the Kaspersky antivirus engine to shake off its competition. Once on a compromised machine "at startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license," reveals SecureWorks.

Ten minutes after the download of the DLL, SpamThru initiates a system scan, detecting its own malicious code as part of the installation. All additional malware identified is deleted on Windows' next reboot.

Additionally, SpamThru features Peer-to-Peer communication capabilities via a P2P custom protocol. It shares "information with other peers including the IP addresses and ports and software version of the control server, template servers, and all the peers they each know about. Control is still maintained by a central server, but in case the control server is shut down, the spammer can update the rest of the peers with the location of a new control server," stated SecureWorks. In the end, SpamThru is a spam engine, acting as a proxy for spam senders via .GIF templates encrypted with AES.