Follow:

 

Win32/Srizbi


Microsoft security software detects and removes this threat.
 
Srizbi is a trojan that can be remotely controlled to send spam. It also contains rootkit functionality to hide itself.


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Srizbi is a trojan that can be remotely controlled to send spam. It also contains rootkit functionality to hide itself.
Installation
Srizbi's main component is a device driver (detected as Spammer:WinNT/Srizbi) which is dropped and installed by an executable (detected as TrojanDropper:Win32/Srizbi). Older variants drop the driver with names such as qandr.sys; newer variants use randomly generated names. For example:
  • <system folder>\drivers\QPPVOWSP.sys
 
Newer variants of the dropper also copy themselves to the Windows directory with a random name, for example:
  • %windir%\acbrrrjj.exe
 
These variants also add a registry entry to run the dropper each time Windows starts, for example:
 
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: ACBRRRJJ (random)
Data: "%windir%\acbrrrjj.exe" (random)
 
The dropper also creates a batch file in the temp directory and runs it. This batch file deletes the original copy of the dropper. Older Srizbi variants use file names such as _it.bat, newer variants use randomly generated file names, for example:
  • %temp%\npb.bat
Payload
Sends Spam
The Srizbi driver connects to a remote server, often on port 4099, to receive instructions and other data, including a list of email addresses to send to, messages to send, fake sender information and mail servers to connect to.
 
Uses Advanced Stealth
Srizbi's device driver hooks several low-level APIs in order to hide its file and registry entries and hinder detection and removal. The driver only hides itself, it does not attempt to hide the dropper’s file or registry entry.
 
Analysis by Tim Liu and Hamish O'Dea

Symptoms

Alerts from your security software might be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Jan 30, 2009
This entry was updated on: Jul 16, 2015

This threat is also detected as:
  • Rootkit.Win32.Agent.ea (Kaspersky)
  • Generic.dx (McAfee)
  • Troj/RKAgen-Fam (Sophos)
  • Trojan.Srizbi (Symantec)