The Latest in IT Security

Brazilian spambot spreads like fire


A legitimate Canadian website is hosting a Trojan:

The zip archive contains a file with a .cpl extension.

Control Panel Files are normally used by the Windows Control Panel where each icon corresponds to a file, such as Access.cpl, Appwiz.cpl etc.

Anyway, what a lot of people don’t know is that such files can be run by double clicking them, just like any other “.exe”.

This is what happens when you execute it:

Which triggers an escalation of malicious code:

More malware is downloaded from: (IP:

File system modifications include the creation of a “programfiles” folder (not to be confused with the legit Program Files one):

One of the immediate payload of this Trojan is spam, at a rate of several hundred emails per minute:

This particular spambot is targeting Brazilian users, as you may see during the infection process:

The bad guys left out a ‘counter’ page in the clear which you would have caught if you were running Fiddler:

It shows you other infected computers, with the vast majority located in Brazil:

I have contacted the Canadian website mentioned above so they remove this piece of malware to prevent further infections.

Jerome Segura

Leave a reply





Latest Comments

Social Networks