Win32/Srizbi [Threat Name]

Detection created2007-11-22
World activity peak 2008-04-04 (1.1 %)
Short description

Win32/Srizbi is a trojan that is used for spam distribution. The trojan is usually a part of other malware. The file is run-time compressed using VMProtect .

Installation

The trojan may create copies of the following files (source, destination):

  • %malwarefilepath%, %systemroot%\­System32\­drivers\­%variable1%.sys

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Tcpip\­Parameters]
    • "MaxUserPort" = 31999
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­CrashControl]
    • "CrashDumpEnabled" = 3
    • "MinidumpDir" = "%SystemRoot%\­Minidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Control\­CrashControl]
    • "CrashDumpEnabled" = 3
    • "MinidumpDir" = "%SystemRoot%\­Minidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet003\­Control\­CrashControl]
    • "CrashDumpEnabled" = 3
    • "MinidumpDir" = "%SystemRoot%\­Minidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet004\­Control\­CrashControl]
    • "CrashDumpEnabled" = 3
    • "MinidumpDir" = "%SystemRoot%\­Minidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet005\­Control\­CrashControl]
    • "CrashDumpEnabled" = 3
    • "MinidumpDir" = "%SystemRoot%\­Minidump"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet006\­Control\­CrashControl]
    • "CrashDumpEnabled" = 3
    • "MinidumpDir" = "%SystemRoot%\­Minidump"

The trojan may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable2%" = "%systemroot%\­%variable2%.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­%variable1%]
    • "DisplayName" = "%variable1%"
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­drivers\­%variable1%.sys"
    • "Start" = 0
    • "Type" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Services\­%variable1%]
    • "DisplayName" = "%variable1%"
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­drivers\­%variable1%.sys"
    • "Start" = 0
    • "Type" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet003\­Services\­%variable1%]
    • "DisplayName" = "%variable1%"
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­drivers\­%variable1%.sys"
    • "Start" = 0
    • "Type" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet004\­Services\­%variable1%]
    • "DisplayName" = "%variable1%"
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­drivers\­%variable1%.sys"
    • "Start" = 0
    • "Type" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet005\­Services\­%variable1%]
    • "DisplayName" = "%variable1%"
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­drivers\­%variable1%.sys"
    • "Start" = 0
    • "Type" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet006\­Services\­%variable1%]
    • "DisplayName" = "%variable1%"
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­System32\­drivers\­%variable1%.sys"
    • "Start" = 0
    • "Type" = 1

This causes the trojan to be executed on every system start.


A string with variable content is used instead of %variable1-2% .

Spam distribution

Win32/Srizbi is a trojan that is used for spam distribution.


The message depends entirely on data the trojan downloads from the Internet.


The SMTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan generates various URL addresses. The HTTP protocol is used in the communication.


It can execute the following operations:

  • send spam
  • update itself to a newer version
  • download files from a remote computer and/or the Internet
  • send files to a remote computer

The trojan hides its presence in the system.


It uses techniques common for rootkits.


The trojan hooks the following Windows APIs:

  • ZwOpenKey (ntoskrnl.exe)
  • ZwEnumerateKey (ntoskrnl.exe)

The trojan keeps various information in the following files:

  • %systemroot%\­System32\­%variable%.tmp

A string with variable content is used instead of %variable% .


The trojan may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­runtime]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­runtime2]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­xpdx]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­lzx32]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­docker19]

The trojan may delete the following files:

  • %systemroot%\­System32\­drivers\­docker19.sys

Please enable Javascript to ensure correct displaying of this content and refresh this page.