Trojan.Pandex was first found in early 2007 and is a Trojan that is primarily used to send spam. Obviously the author has more ambition than to stick with simply spamming because we’ve observed the Trojan enhancing its functions continuously over the past month or so.

Trojan.Pandex first arrives on a victim’s computer as a downloader, the function of which is to download the real payload from a remote server. To make its job more effective it also drops two .sys files. One .sys file removes the hooks on SDT and NDIS and the filter drivers on TCPIP and FileSystem, which will disable the some of the firewalls and monitoring programs, such as filemon and tdimon. It will also remove a rootkit installed by another malicious program. After these preparations the Trojan injects downloading code into an Internet Explorer process. The downloaded code is made up of two parts. One is a dropper, its only task being the drop of yet a third .sys file into the system and to register it as a system service. Symantec Security Response Weblog: Trojan.Pandex – Doing More Than Spamming

Technorati Tags: , ,