Who is JEROME.exe?

June 2nd, 2009

While analyzing a sample I came across a file named after me I was curious to find out more about it.

First the file presents some interesting characteristics, as it runs and kills itself perpetually.

Other than that, nothing else seemed to happen. Well, that is anything obvious…

In reality my machine had turned into a spambot! Below is a screenshot from a Wireshark analysis showing SMTP packets of a spoofed email address spamming a multitude of email providers.

If you use SNORT inline, you can prevent all outgoing SMTP traffic. Otherwise you will end up on several blacklists pretty quickly.

The file is well detected, some call it Rabbit… go figure?

Jerome

This entry was posted on Tuesday, June 2nd, 2009 at 10:28 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Comments:

(0) comments
|
Add your comments