A security researcher has found a Trojan that installs a virusscanner to clean other malware from the infected system or to prevent further infections. The “SpamThru trojan” uses Kaspersky anti-virus engine to secure hijacked systems.
In the past we have found various malware that tries to remove competitive malware, but it is the first time it is done in such a way… “Of course malware authors know what has the best detection rate, and that must be the reason for choosing KAV” Joe Stewart adds.
While starting the system SpamThru loads a DLL from the controling server. This DLL downloads an illegal Kaspersky AntiVirus version and puts it into a hidden file. Then the license signature of the Kaspersky DLL is being patched, so new signatures can be downloaded. Ten minutes after downloading the whole system is being scanned, so that additional malware can be removed at reboot. The full analysis of this particular Trojan can be found here: http://www.secureworks.com/analysis/spamthru/
Well i don’t see anything wrong at this point. Ok, downloading illegal KAV version is not ok, but parasitic cleaning “trojan” is nothing else than effective antidote. If it really just cleans the stuff.
If junk can spread so effectivelly, why shouldn’t antidotes too?
Imo this is the way to go. Wrong or not wrong, it just works the same way like malware works. Except it has good purpose and effect…