Win32/Saburex [Threat Name] go to Threat

Win32/Saburex.A [Threat Variant Name]

Category virus
Short description

Win32/Saburex.A is a parasitic virus that is able to steal passwords and other sensitive information.


The following file is dropped into the %system% folder:

  • ole16.dll

Size of the file is 17920 B . In order to be executed on every system start, the virus sets the following Registry entries:

  • [HKEY_CLASSES_ROOT\­CLSID\­{00021401-0000-0000-C000-000000000046}\­InProcServer32]
    • default = "ole16.dll"
    • "ThreadingModel" = "both"

If that fails, the following entries are set instead:

  • [HKEY_CURRENT_USER\­Software\­Classes\­CLSID\­{00021401-0000-0000-C000-000000000046}\­InProcServer32]
    • default = "ole16.dll"
    • "ThreadingModel" = "both"
Executable file infection

The virus searches for executables on local drives.

Infection is attempted only if an executable is not in a folder that contains one of the following strings in the name:

  • documents and
  • music
  • program files
  • win
  • _restore

Several other criteria are applied when choosing a file to infect.

The virus overwrites code in the first section of the host.

The original code is compressed in a CAB archive and appended to the file.

The original host executable can be reconstructed when an infected file is run.

Another CAB archive containing the DLL library is appended as well.

Information stealing

The virus collects various information when a certain application is being used.

The data is saved in the following Registry key:

  • HKEY_CURRENT_USER\­Software\­Microsoft\­MediaPlayer\­Licences

The virus can send the information to a remote machine.

The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.