Win32/Sazoora [Threat Name] go to Threat

Win32/Sazoora.C [Threat Variant Name]

Category trojan
Size 193024 B
Detection created Dec 02, 2015
Detection database version 12662
Aliases Trojan.Win32.Fsysna.clml (Kaspersky)
  VirTool:Win32/Injector.GE (Microsoft)
  Trojan.MulDrop6.16167 (Dr.Web)
Short description

Win32/Sazoora.C is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­WinHost\­svchost.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WindowsHost" = "%appdata%\­WinHost\­svchost.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • iron.exe
  • firefox.exe
  • iexplore.exe
Information stealing

The trojan collects the following information:

  • operating system version
  • information about the operating system and system settings
  • credit card information

The trojan collects sensitive information when the user browses certain web sites.


The trojan may display fake dialogs within the Internet browser.


The goal of the malware is to persuade the user to fill in personal information.


Some examples follow.

The following programs are affected:

  • Google Chrome
  • Internet Explorer
  • Mozilla Firefox
  • SRWare Iron Browser
Other information

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (13) URLs. The HTTP protocol is used.


The trojan keeps various information in the following files:

  • %temp%\­nd_%variable%.tmp

A string with variable content is used instead of %variable% .


The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Svchost\­WinHost\­Packet]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Svchost\­WinHost\­MachineGuid]

The trojan hooks the following Windows APIs:

  • PR_Close (nss3.dll)
  • PR_Write (nss3.dll)
  • PR_Read (nss3.dll)
  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • InternetCloseHandle (wininet.dll)
  • InternetQueryDataAvailable (wininet.dll)
  • InternetReadFile (wininet.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.