Trojan:Win32/Srizbi.gen is a generic detection for Trojans that connect to remote sites to retrieve spam messages. It also uses rootkit techniques in order to hide itself from the affected user.
It arrives on the system with a dropper executable that drops and installs the following rootkit driver onto the affected machine:
It installs itself as a service by creating the following registry key:
It also adds the following registry entry:
MachineNum = “[random]”
It drops the following temporary batch file - this file is used in order to automatically delete itself after the rootkit has been installed:
It deletes files located on the following directory:
Uses Advanced Stealth
The driver component is used to hide the Trojan file, its registry modifications and associated network traffic.
Trojan:Win32/Srizbi.gen connects to remote sites to retrieve data used for sending spam messages.
Attackers may be targeting news events such as elections, or public entertainers. An example of spam messages containing a link to a Web site hosting the trojan is shown below.
Hillary Clinton visited her campaign headquarters in Virginia and did satellite interviews, looking beyond Tuesday's trio of contests and touting the importance of a March 4 vote in Ohio.
Download it now!
Threats generically detected as Trojan:Win32/Srizbi.gen cover a broad range of variants, hence, there are few symptoms that can be listed specific to a Trojan:Win32/Srizbi.gen installation - files and registry entries may be hidden by Win32/Srizbi.