Content

Srizbi

Type
Trojan
SubType
Rootkit
Discovery Date
08/06/2007
Length
varies
Minimum DAT
5091 (08/06/2007)
Updated DAT
5377 (09/04/2008)
Minimum Engine
5.1.00
Description Added
08/06/2007
Description Modified
03/31/2008 4:01 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This detection is for a trojan that drops a rootkit component to hide the files and registry entries created by it.

Upon execution, this trojan drops the following files.

  • %windir%\system32\drivers\grande48.sys
  • %windir%\system32\drivers\<RANDOM name>.sys

The dropped SYS file is detected as Srizbi.sys trojan.

The trojan drops following file and executes it to delete itself.

  •  %temp%\_it.bat

It creates the following hidden service entries to load its rootkit component.

  • HKLM\System\currentcontorlset\services\grande48
  • HKLM\System\currentcontorlset\services\<RANDOM name>

It hooks the 'IRP_MJ_DIRECTORY_CONTROL' routine of NTFS file system driver to hide its files.

It hooks following kernel routines to hide its registry keys.

  • ZwEnumerateKey
  • ZwOpenKey

The rootkit component of this trojan will be loaded in Windows safe mode also.

It connects to the following remote web server to download email addresses to send spam.
and uploads last crash dump file from %windir%\minidump folder.

 Ip Address : 208.72.168.xxx
 port     : 4099

Symptoms

  • Presence of the above hidden registry key and files.

Method of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a trojan that drops a rootkit component to hide the files and registry entries created by it.

Aliases

  • Trojan.Win32.Pakes.cmk (F-Secure)
  • Trojan.Win32.Pakes.cmk (Kaspersky)
  • Win32/Srizbi.Gen (NOD32)

Characteristics

Characteristics -

This detection is for a trojan that drops a rootkit component to hide the files and registry entries created by it.

Upon execution, this trojan drops the following files.

  • %windir%\system32\drivers\grande48.sys
  • %windir%\system32\drivers\<RANDOM name>.sys

The dropped SYS file is detected as Srizbi.sys trojan.

The trojan drops following file and executes it to delete itself.

  •  %temp%\_it.bat

It creates the following hidden service entries to load its rootkit component.

  • HKLM\System\currentcontorlset\services\grande48
  • HKLM\System\currentcontorlset\services\<RANDOM name>

It hooks the 'IRP_MJ_DIRECTORY_CONTROL' routine of NTFS file system driver to hide its files.

It hooks following kernel routines to hide its registry keys.

  • ZwEnumerateKey
  • ZwOpenKey

The rootkit component of this trojan will be loaded in Windows safe mode also.

It connects to the following remote web server to download email addresses to send spam.
and uploads last crash dump file from %windir%\minidump folder.

 Ip Address : 208.72.168.xxx
 port     : 4099

Symptoms

Symptoms -

  • Presence of the above hidden registry key and files.

Method of Infection

Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A