Trojan Win32 Srizbi
1. Summary:
Srizbi is 154 kB long trojan horse using ?rootkit? hiding technique, that sends spam to the email addresses contained in it's configuration file downloaded from the Internet.
Aliases:
Proland: W32/Srizbi
Symantec: Trojan.Srizbi
2. Detailed description:
After the first execution, trojan Srizbi creates these files:
%SYSTEM%\windbg48.sys
%SYSTEM%\[random characters].sys
%TEMP%\_uninsep.bat
and deletes the file it got executed from.
The ?windgb48.sys? file is the actual ?rootkit? responsible for hiding the worm within the system.
Trojan Srizbi deletes all log files found in:
%SYSTEM%\Minidump
It also deletes and uninstall dangerous files that are connected to an older ?rootkit? driver:
ntio256.sys
wincom32.sys
Trojan Srizbi create following registry entries:
[HKLM\SYSTEM\CurrentControlSet\Services\windbg48]
This key is hidden by the ?rootkit?.
Trojan Srizbi marks the infection in the registry. This mark is written in the ?MachineNum? entry in the key:
[HKLM\SYSTEM\CurrentControlSet\Services\RcpApi]
"MachineNum" = "[XXXXXX-YYYYYY-ZZ]"
Trojan Srizbi runs solely in the Kernel mode, because of the ?rootkit? technique, that hides it's files and registry keys.
This trojan horse can also run in the ?Safe Mode?, which makes it's removal rather difficult.
To make sure the registry keys are invisible, the Srizbi hooks following Windows Kernel functions:dows:
ZwOpenKey
ZwEnumerateKey
To make sure the files are invisible, Srizbi hooks following routines in the NTFS filesystem driver:
FileSystem\Ntfs\IRP_MJ_CREATE
FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL
Trojan Srizbi also hooks the TCP/IP driver. By doing this it is capable to get around IDS systems running on the local computer as well
as firewalls or packet sniffers.
3. Email spamming:
Trojan Srizbi tries to connect following websites in order to acquire it's configuration file.
abr.srizhopa.biz
bu.srizhopa.biz
The configuration file itself is composed of following sections:
000_data2
001_ncommall
002_senderna
003_sendersu
config
message
mlist
mxdata
4. Cleaning:
- Reboot the PC into the safe mode.
- Run the ?Rootkit Revealer? utility, that can even show the hidden processes using the ?rootkit technique?).
You can donwload it from: http://download.sysinternals.com/Files/RootkitRevealer.zip
- Remove all the ?rootkit? entries.
- Delete following files:
%SYSTEM%\windbg48.sys
%SYSTEM%\[random characters].sys
%TEMP%\_uninsep.bat
- Delete following registry key:
[HKLM\SYSTEM\CurrentControlSet\Services\windbg48]
- Delete the entry ?MachineNum? in the key:
[HKLM\SYSTEM\CurrentControlSet\Services\RcpApi]
"MachineNum" = "[XXXXXX-YYYYYY-ZZ]"
- Reboot the PC back into the normal mode.
0 writebacks [08/10/2007 09:37]
[]
permanent link
|
