Threat behavior
Trojan:Win32/Srizbi.gen is a generic detection for Trojans that connect to remote sites to retrieve spam messages. It also uses rootkit techniques in order to hide itself from the affected user.
Installation
It arrives on the system with a dropper executable that drops and installs the following rootkit driver onto the affected machine:
It installs itself as a service by creating the following registry key:
It also adds the following registry entry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcAp\MachineNum = “[random]”
It drops the following temporary batch file - this file is used in order to automatically delete itself after the rootkit has been installed:
Payload
Deletes Files
It deletes files located on the following directory:
Uses Advanced Stealth
The driver component is used to hide the Trojan file, its registry modifications and associated network traffic.
Generates Spam
Trojan:Win32/Srizbi.gen connects to remote sites to retrieve data used for sending spam messages.
Additional Information
Attackers may be targeting news events such as elections, or public entertainers. An example of spam messages containing a link to a Web site hosting the trojan is shown below.
Hillary Clinton visited her campaign headquarters in Virginia and did satellite interviews, looking beyond Tuesday's trio of contests and touting the importance of a March 4 vote in Ohio.
Full video
Download it now!
Prevention