What is Win32/Fruspam.E

Win32/Fruspam.E is a mass-mailing worm that has the capability to send spam email through its own SMTP engine. It also targets systems running servers with IIS.

The virus Win32/Fruspam.E tries to obtain the IP address of the affected system by sending a HTTP request to whatismyip.com. Additionally, it connects to whois.apnic.net to determine the details of the IP address such as country, description, address and other details.

Method of Distribution of Win32/Fruspam.E

There are two methods by which Win32/Fruspam.E generally propagates to your system.

Via Email: Win32/Fruspam propagates via email. It downloads images from two legitimate websites and uses the images to construct the spam email.

Fruspam scans the system and harvests target email addresses from files on the affected machine. It communicates these email addresses to a remote SMTP server and attempts to use the server for sending the spam emails. It performs DNS MX (mail exchanger) queries to find an appropriate mail server for each domain it tries to send itself to. If it cannot find the DNS server, it attempts to guess the correct one for each domain, by different methods.

Via File Replacement: If the compromised system runs a web server with IIS (Internet Information Services), Win32/Fruspam.E attempts to modify or replace the legitimate IIS file at %Root%\inetpub\wwwroot\index.htm with its own .htm file.