HOME > VIRUS ALERTS


VIRUS ALERTS

Trojan.Srizbi Kernel Malware

Original issue date: July 30, 2007

Trojan.Srizbi is a full kernel malware which gets downloaded while visiting the websites compromised from Mpack toolkit. The Trojan contains some unique features which makes it distinguishable. It is a full kernel malware having rootkit functions to hide its presence on the affected system. The Trojan executes from the kernel mode and does not require user mode intervention.

It has been observed that the Trojan is circulating in the wild sending spam email messages. It contains kernel mode payloads including spam sending routine rather than user mode.

Aliases : Rootkit:W32/Agent.EA [F-Secure], Trojan.Srizbi [Symantec], Troj/RKAgen-A [Sophos]

Upon execution it

  • Drop the files windbg48.sys, [RANDOM NAME].sys in Windows System folder.
  • Creates the file _uninsep.bat in the Temp location and then delete itself
  • Creates the following hidden registry subkey to run the rootkit driver as a service when the infected machine starts:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\windbg48
  • Hooks the following kernel functions to hide its registry keys

    ZwOpenKey
    ZwEnumerateKey
  • Hooks the kernel routine of NTFS filesystem driver to hide its files:

    \FileSystem\Ntfs\IRP_MJ_CREATE
    \FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL
  • Patches the TCP/IP network drivers to bypass firewalls, network sniffer tools and IDS systems.
  • Tries to connect to some malicious websites to download configuration files for sending spam messages.
  • Deletes or uninstall following rootkit drivers files if present on the infected system.

    ntio256.sys
    wincom32.sys

In view of its high propagation factor and rootkit hiding techniques users are advised to implement following countermeasures:

  • Keep up-to-date patches and fixes on the operating system
    and application software.
  • Keep up-to-date AntiVirus and AntiSpyware signatures.
  • Install and maintain rootkit detection software.
  • Exercise caution while visiting trusted/untrusted websites.
  • Disable active scripting in the browser.

References

http://www.f-secure.com/v-descs/rootkit_w32_agent_ea.shtml http://www.symantec.com/security_response/writeup.jsp?
docid=2007-062007-0946-99 http://www.sophos.com/security/analyses/trojrkagena.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003