An interesting trojan in that it contains a mail server and a web proxy. Often installed by another ‘downloader’ trojan. Often pulled down from a website.
By default, opens three ports. The port number appears random but is based on the time zone and operating system number of the local OS. The lowest number will be a simple SMTP open relay which the attacker will often use to relay spam to the rest of the planet. This lowest port may contain the string ‘jeem.mail.pv’ in the banner if you telnet to the port.
The middle port number will listen for instructions to the trojan which can include direction to connect to a specific IP/port or to listen on port 9000 for further instructions. The higest number port has the ability to act as a HTTP proxy.
This can be a very annoying worm to be infected with. It has the ability to turn a lowly workstation into a spammer’s dream: an open mail relay.
Telnet’ing to the trojan’s port, whatever it is, returns the following:
[root@intmgmtws1 root]# telnet 192.168.101.100 8281
Connected to my.domain.com (192.168.101.100).
Escape character is '^]'.
220 jeem.mail.pv ESMTP
Connection closed by foreign host.
Note the SMTP codes and the line ‘221 jeem.mail.pv’.