Asunto correo MESPAM

[jorgarmu]

Hola mi problema es que me he instalado el outlook 2007 y cuando envio un correo siempre llega con lo que yo escribo de asunto pero con la palabra MESPAM delante (si pongo "hola" llega "MESPAMhola") y no se que hacer.

Alguien tiene el mismo problema o puede ayudarme?

Gracias

[msc hotline sat]

No sé qué antivirus usas, pero es conocido por la mayoría...



Trojan.Mespam [Symantec], Troj/SpamToo-U [Sophos], Spam-Mespam [McAfee], WORM_ZHELATIN.CH [Trend], Troj/SpamToo-X [Sophos]


[quote="Symantec"]
Symantec.com > Security Response > Trojan.Mespam

Trojan.MespamRisk Level 2: LowPrinter Friendly Page

SUMMARY TECHNICAL DETAILS REMOVAL Discovered: February 9, 2007

Updated: February 26, 2007 10:51:47 PM

Also Known As: Troj/SpamToo-U [Sophos], Spam-Mespam [McAfee], WORM_ZHELATIN.CH [Trend], Troj/SpamToo-X [Sophos]

Type: Trojan

Infection Length: 49,664 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP



Trojan.Mespam may be downloaded by Trojan.Peacomm or it may be spammed out through malicious IMs, emails, or forum posts that may look like one of the following:

LOL ;-)[http://]p://66.148.74.7/ag.[REMOVED]

have you seen this? [http://]mailfreepostcards.com/funvid[REMOVED]

Dont forget to see [http://]mailfreepostcards.com/funvid[REMOVED] !



However, the message and URL can be updated at anytime and may change in the future.



Once executed, the Trojan drops the following files:

%System%\rsvp32_2.dll - the dropped LSP DLL

%System%\sporder.dll - clean DLL



Then it registers %System%\rsvp32_2.dll as a layered service provider (LSP) allowing the Trojan to run each time the network device is initialized and have direct access to the network stream.



While registering itself as an LSP, it modifies the contents of the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters



The Trojan also creates the following registry key to store installation related information:

HKEY_LOCAL_MACHINE\SOFTWARE\WinSock2\Buibert



It contacts the following URL to retrieve the message to be spammed out through instant message applications:

[http://]66.148.74.7/zc.[REMOVED]



The Trojan may save the message in one or more of the following files:

%System%\aosmx.dll

%System%\aimsmx.dll

%System%\ymsgsmx.dll

%System%\gtalsmx.dll

%System%\pfxzmtaim.dll

%System%\pfxzmtforum.dll

%System%\pfxzmtgtal.dll

%System%\pfxzmticq.dll

%System%\pfxzmtsmt.dll

%System%\pfxzmtsmtspm.dll

%System%\pfxzmtwbmail.dll

%System%\pfxzmtymsg.dll



The Trojan spams open instant message windows with the downloaded message to make the message appear more legitimate. It may currently recognize and use the following IM client connections:

AOL Instant Messenger

Google Talk

Yahoo! Messenger



It injects the above-mentioned message into emails sent via webmail from the following providers:

AOL

Bellsouth

Care2

Comcast

Earthlink

FastMail

Gmail

Hotmail

Lycos

mail.com

mail.ru

Rambler

Tiscali

Yahoo



The Trojan also injects the above-mentioned message into web forums when creating a new post.RecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":



Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.

If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
[/quote]



Prueba el ELISTARA que controla alguna variante al respecto, a ver si hay suerte:









ELISTARA:

http://www.zonavirus.com/descargas/elistara.asp



Tras probarlo, reiniciar y postearnos el contenido de C:\infosat.txt para ver el resultado del proceso







Y luego mira si aun tienes estos ficheros y en tal caso envianoslos para analizar:



%System%\rsvp32_2.dll



%System%\sporder.dll



saludos



ms, 2-07-2007





Nota: Conprueba que tras la ejecucion del ELISTARA, el Editor del registro funcione perfectamente... ms.

[jorgarmu]

Hola probaré el programa, el antivirus que uso es el panda.

[msc hotline sat]

No sabemos si panda lo detecta, por ello, si tgienes los ficheros que te pediamos, envianoslos:


[quote]Y luego mira si aun tienes estos ficheros y en tal caso envianoslos para analizar:



%System%\rsvp32_2.dll



%System%\sporder.dll
[/quote]

->[b] Para ello recordar[/b]: https://foros.zonavirus.com/viewtopic.php?f=2&t=45334



En caso que los recibamos, los analizaremos e informaremos



saludos



ms, 3-07-2007