Win32/Sathurbot [Threat Name] go to Threat

Win32/Sathurbot.A [Threat Variant Name]

Category trojan
Size 225280 B
Detection created Sep 27, 2013
Detection database version 8851
Aliases Backdoor.Win32.Agent.deje (Kaspersky)
  Trojan:Win32/Sathurbot.A (Microsoft)
  Infostealer (Symantec)
  BackDoor.HydraLoader.6 (Dr.Web)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

The trojan is often included in the installation packages of programs downloaded from untrustworthy sources.


The trojan may create copies of itself using the following filenames:

  • %currentfolder%\­MediaIconsOverlays.dll

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­CLASSES\­CLSID\­{1EC23CFF-4C58-458f-924C-8519AEF61B32}\­InprocServer32]
    • "(Default)" = "%malwarefilepath%"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­ShellIconOverlayIdentifiers\­MediaIconsOverlay]
    • "(Default)" = "{1EC23CFF-4C58-458f-924C-8519AEF61B32}"
  • [HKEY_LOCAL_MACHINE\­Software\­CLASSES\­CLSID\­{1EC23CFF-4C58-458f-924C-8519AEF61B32}]
    • "(Default)" = "Media Icons Overlay Helper Tool"

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­Software\­CLASSES\­CLSID\­{DC76A948-97DA-435e-B7A0-149BB4298979}]
Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • open ports
  • send open TCP and UDP port numbers to a remote computer

The following programs are terminated:

  • msseces.exe
  • msascui.exe

The following services are disabled:

  • MsMpSvc
  • WinDefend
  • wscsvc
  • SharedAccess
  • wuauserv
  • MpsSvc

The trojan may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSC" = "%filepath%"
    • "Windows Defender" = "%filepath%"
  • [HKEY_LOCAL_MACHINESoftware\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MSC" = "%filepath%"
    • "Windows Defender" = "%filepath%"

The trojan checks for Internet connectivity by trying to connect to the following addresses:

  • google.com
  • yahoo.com
  • bing.com
  • outlook.com

Please enable Javascript to ensure correct displaying of this content and refresh this page.