• Total Posts: 43051
  • Total Topics: 16234
  • Online Today: 5014
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Mespam meets Zunker (and targets German users)  (Read 4487 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Global Moderator
  • *****
  • Posts: 1076
  • KARMA: 22
  • Gender: Male
Mespam meets Zunker (and targets German users)
« on: 08. June 2007., 20:23:51 »
I wanted to start this blog by quoting a post picked up from one of the many forums contaminated by Mespam to show exactly what infected users experience without having a clue of what’s going on with their computer. If your friends are complaining that your e-mails, blog posts and chat sessions show a suspicious URL linking to photos, jokes or screensavers that you hadn’t sent them, you’re probably another victim of this Trojan.
Trojan.Mespam was originally spotted in February and we described here the new spreading technique, which uses an LSP component to attach text and malicious links to the outgoing HTTP traffic. In the Web 2.0 world this technique has proven its efficiency. It’s worth mentioning that Mespam was distributed via the Trojan.Peacomm P2P network.
In the last few months we’ve seen many recompiled variants of this Mespam coming out, and I’m reporting here some of the malicious URLs that users should absolutely never click, even if they seem to be posted by trusted friends. We have noticed that each outbreak of Mespam has a main “theme” in the spammed messages, such as postcards, jokes, screensavers, and photos, which is configured by a remote C&C center. When we examine the languages of contaminated forums and blogs, it looks like some infections are localized only to specific countries.

February – The “Jokes” malicious URLs series:
 hxxp://
 hxxp://
 hxxp://

March – The “Screensavers” malicious URLs series:
 hxxp://
 hxxp://

April – The "Sex-game" malicious URLs series:
 hxxp://
 hxxp://
 hxxp://

May – The "foto" malicious URLs series (only targeting Germans?):
 hxxp://
 hxxp://
 hxxp://

With some help from Google I’ve searched forums, blogs and web boards for the keywords included in the spam messages, to estimate how many forums and sites contain infected posts. The results shown in this table were not optimistic. We should mention that Mespam also spreads through IM, traditional e-mail and web mail, so we’re not considering in this statistic all the messages spammed, for example via Gmail, Yahoo Mail, ICQ, AIM, etc.

(*) – the keyword includes all the links spammed for the “screensaver” series

But who controls what the infected bots spam, and where? This diagram shows some Mespam code on the right and a C&C interface on the left.

The interface on the left is also known as “Zunker” and is a C&C web panel that controls Mespam bots The connections between Mespam code and the Zunker panel are obvious. We have many other clues that they are just different pieces of the same thing. With this panel, the botmaster has quick statistics on the number of infected hosts, affected countries, new bots added recently, and can also see which channels, such as IM, traditional mail, webmail, and forums, are used to send spam.

The configuration area of the panel gives the botmaster the ability to choose a different template message for each channel. This is an example of a configured template found on one of the many Zunker interfaces analyzed recently.

When the botnet becomes big enough, the botmaster can use it to infect more hosts or eventually install a secondary Trojan on the infected machines. This secondary file is always configured from the Zunker interface, and is usually a bank Trojan or DDoS threat. In some cases, after the botnet is ready, the botmaster tries to sell this “install-a-Trojan” service to other cyber-criminals who can decide which Trojan to distribute on the infected hosts.

For example, we’ve seen a file named “ebr9.exe” on a Zunker botnet, which from the panel statistics was targeting mostly German users. This Trojan drops the BHO file “%SYSTEM%\console32.dll” and tries to hijack the execution of the following German programs by changing the registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option” for each of them:


The reason for this registry key change is unclear, but German users who have these specific programs should double-check their machines for this Trojan.

We don’t know if the Zunker interface was created together with Trojan.Mespam, or if it was added later by someone else. The current statistics of Mespam samples show that there’s a specific Zunker web panel link hardcoded in every different version of Trojan.Mespam DLL. So probably the package Mespam/Zunker is sold together on the underground market.
# Online Anti-Malware Scanners:,734.0.html

Samker's Computer Forum -

Mespam meets Zunker (and targets German users)
« on: 08. June 2007., 20:23:51 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising