Virus -Win32 – Saburex - a
1. Summary:
Virus.Win32.Saburex.a is Windows executable file infector with victim tracks ability.
Aliase names:
BitDefender: Win32.Fidcop.A
eSafe: Virus.Win32.Saburex
F-Secure: Saburex.A
Kaspersky: Virus.Win32.Saburex.a
NOD32: Win32/Saburex.A
Panda: W32/Rex.A
VirusBuster: Win32.Saburex.A
File size: increase infected file by approx 13 kB and drop 17,920 bytes length from DLL library.
2. Detailed description:
When the virus launches the first time, it drops following dll libraries into the Windows SYSTEM directory:
ole16.dll
shell32.dll
After the libraries were successfully dropped, they are executed by rundll32.
Modifies values in following registry keys:
[HKCR\CLSID\{00021401-0000-0000-C000-000000000046\InProcServer32]
@ = "ole16.dll"
ThreadingModel = "both"
[HKCR\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
@ = shell32.dll
@ = ole16.dll
[HKLM\SOFTWARE\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
@ = "ole16.dll"
ThreadingModel = "both"
This virus drops a file into the temporary directory with temporary name and size of 7,168 bytes. With this file it is capable to track all opened windows and make screenshots of them. Captured screenshots from victim's machine are encrypted and published on the internet.
Only one instance of virus DLL component can be loaded in memory at a time, and this exclusivity is ensure by checking event names to „~DF“ string.
Infication other executable files:
This virus is looking for files with *.exe extension on fixed drives, and infects founded executables. It avoids files and directories contains following strings:
_restore
documents and
music
program files
win
The files smaller than 524,288 bytes (0x80000 hex) are ignored as well and the virus will not infect them.
Virus overwrites block in the first section in found executable file by virus body. The origin contained in the overwritten block gets packed into CAB archive and appended to the end of the file. CAB archive will be appended to last section of file - it hides before eyes. Then, modify entry point in file header to virus body.
When the infected file is launched, the virus unpacks the origin (rewritten) block from CAB archive, removes virus body from infected file and launches origin file code.
Because virus is enctrypted, no visible texts are allowed.
3. How to disinfect victim computer:
We do not recommend manually disinfecting this virus. You could damage your Windows system and your computer could become unusable! To clean this infiltration you must use antivirus software.
0 writebacks [03/09/2007 10:10]
[]
permanent link
|
