Trojan.Win32.Sasfis_f27b62d7b3

by malwarelabrobot on October 14th, 2013 in Malware Descriptions.

Gen:Variant.Graftor.17710 (BitDefender), Worm:Win32/Autorun.YG (Microsoft), HEUR:Worm.Win32.Generic (Kaspersky), Backdoor.Win32.IRCbot.dl (v) (VIPRE), Win32.HLLW.Autoruner.23940 (DrWeb), Gen:Variant.Graftor.17710 (B) (Emsisoft), BackDoor-EKN (McAfee), W32.SillyFDC (Symantec), Worm.Win32.Bybz (Ikarus), Backdoor:W32/Bubz.gen!A (FSecure), BackDoor.Generic12.AZET (AVG), Win32:AutoRun-BHW [Wrm] (Avast), WORM_DYBALOM.SMX (TrendMicro), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericAutorunWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, VirTool, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: f27b62d7b38a24c649ed6d25b083c659
SHA1: 98a6ed8aebcedf9ce3df3951e771e1acee4e12c3
SHA256: a3dae9ac4eaa5854bb6933cfce8196191c9ba64ebf7c180237ba48b0866fea47
SSDeep: 3072:9rqS2S/o6DAegBn js/8IbAS/30TOWqTXLM9Zx6SN3bVF/MevvL5uk/:9rqS2WL07 MAw/kx1VfLX
Size: 137728 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

f27b62d7b38a24c649ed6d25b083c659.exe:1692
winlog.exe:600

File activity

The process f27b62d7b38a24c649ed6d25b083c659.exe:1692 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (673 bytes)

The process winlog.exe:600 makes changes in a file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (0 bytes)

Registry activity

The process f27b62d7b38a24c649ed6d25b083c659.exe:1692 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 70 08 FC 8A 2C AF 81 9D EB 38 BF E9 1F CD 37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"winlog.exe" = "winlog"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process winlog.exe:600 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 A1 56 21 C5 E8 DA 88 D9 61 5D 0A D6 00 8E 64"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"winlog.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe"

Network activity (URLs)

No activity has been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    f27b62d7b38a24c649ed6d25b083c659.exe:1692
    winlog.exe:600

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe (673 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "winlog.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\winlog.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.