Follow:

 

Trojan:Win32/Srizbi.gen


Trojan:Win32/Srizbi.gen is a generic detection for Trojans that connect to remote sites to retrieve spam messages. It also uses rootkit techniques in order to hide itself from the affected user.


What to do now

Scan with antivirus software
Trojan:Win32/Srizbi.gen uses rootkit methods to hide its presence, and may connect to remote sites to retrieve data or other programs.To recover from this additional malicious software, you must run a full-system scan with an up-to-date antivirus product. Several companies provide antivirus software for this purpose. For more information, see http://www.windowsmarketplace.com/category.aspx?bcatid=3303.

Threat behavior

Trojan:Win32/Srizbi.gen is a generic detection for Trojans that connect to remote sites to retrieve spam messages. It also uses rootkit techniques in order to hide itself from the affected user.
Installation
It arrives on the system with a dropper executable that drops and installs the following rootkit driver onto the affected machine:
  • <system folder>\windbg48.sys
It installs itself as a service by creating the following registry key:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windbg48
It also adds the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcAp\ MachineNum = “[random]”
It drops the following temporary batch file - this file is used in order to automatically delete itself after the rootkit has been installed:
  • %Temp%\_uninsep.bat
Payload
Deletes Files
It deletes files located on the following directory:
  • <system folder>\Minidump
Uses Advanced Stealth
The driver component is used to hide the Trojan file, its registry modifications and associated network traffic.
Generates Spam
Trojan:Win32/Srizbi.gen connects to remote sites to retrieve data used for sending spam messages.
Additional Information
Attackers may be targeting news events such as elections, or public entertainers. An example of spam messages containing a link to a Web site hosting the trojan is shown below.
Hillary Clinton visited her campaign headquarters in Virginia and did satellite interviews, looking beyond Tuesday's trio of contests and touting the importance of a March 4 vote in Ohio.
Full video
Download it now!

Symptoms

Threats generically detected as Trojan:Win32/Srizbi.gen cover a broad range of variants, hence, there are few symptoms that can be listed specific to a Trojan:Win32/Srizbi.gen installation - files and registry entries may be hidden by Win32/Srizbi.

Prevention


Alert level: Severe
This entry was first published on: Dec 13, 2007
This entry was updated on: Feb 17, 2008

This threat is also detected as:
  • W32/Rootkit.AAX (Command)
  • BackDoor.Generic8.CJX (AVG)
  • Win32/Rootkit.Agent.NCW (ESET)
  • Rootkit.Win32.Agent.ea (Kaspersky)
  • Generic.dx (McAfee)
  • W32/Agent.CXNI (Norman)
  • Troj/RKAgen-Fam (Sophos)
  • Trojan.Srizbi (Symantec)
  • RTKT_AGENT.JWI (Trend Micro)