A painfully high number of incidents have been occuring over the past couple of days in India, Thailand and Greece involving a bot/mailer that is installed by a “aow4.tmp”, “aowc.tmp”, “aow28.tmp”…you get the idea. The bot is downloaded from 66. 29 . 53. 125/supply/pack (a server hosted by a provider in New Jersey) and then injected into a suspended svchost.exe process. This process then spews mail containing nasty Russian slang and attempts to phone home. Most of the servers that it tries to connect with do not accept its mailing at this time.
AV detection is surprisingly low — there is some generic detection, but the variants continue to morph.
Rootkit components are not delivered with this one, and the downloader utilizes an unusual thread injection technique while deleting its own presence. The tmp file creates a suspended process with the svchost.exe executable, calls GetThreadContext to get the registers of the suspended process, writes its own code to the memory space of the svchost process, and then calls SetThreadContext and ResumeThread on the suspended process to resume execution on its injected code within the remote process. ThreatFire will prompt users about this injection.