Spam trojan installs its own anti-virus scanner

I was astonished to read that SpamThru Trojan, a piece of malware that has been doing the rounds this last few weeks, and which is designed to generate vast quantities of spam on an infected PC, installs its own AV scanner.

The scanner is reported to be every bit as sophisticated as a commercial anti-virus application and is there to prevent the infected machine being compromised by anyone else.

This strategy differs from almost all viruses and trojans seen to date, which attempt to block anti-virus software from downloading updates by changing the host IP address file to the anti-virus update sites to the localhost address.

SpamThru is different, however, as, when it starts up, the trojan requests and loads a DLL from the author's command-and-control server. This then downloads a pirated copy of Kaspersky AntiVirus for WinGate into a concealed directory on the infected system.

A short while after the download of the DLL, the software quietly begins to scan the system for malware, skipping files which it detects are part of its own installation...