Threat behavior
Srizbi is a trojan that can be remotely controlled to send spam. It also contains rootkit functionality to hide itself.
Installation
Srizbi's main component is a device driver (detected as Spammer:WinNT/Srizbi) which is dropped and installed by an executable (detected as TrojanDropper:Win32/Srizbi). Older variants drop the driver with names such as qandr.sys; newer variants use randomly generated names. For example:
- <system folder>\drivers\QPPVOWSP.sys
Newer variants of the dropper also copy themselves to the Windows directory with a random name, for example:
These variants also add a registry entry to run the dropper each time Windows starts, for example:
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value: ACBRRRJJ (random)
Data: "%windir%\acbrrrjj.exe" (random)
The dropper also creates a batch file in the temp directory and runs it. This batch file deletes the original copy of the dropper. Older Srizbi variants use file names such as _it.bat, newer variants use randomly generated file names, for example:
Payload
Sends Spam
The Srizbi driver connects to a remote server, often on port 4099, to receive instructions and other data, including a list of email addresses to send to, messages to send, fake sender information and mail servers to connect to.
Uses Advanced Stealth
Srizbi's device driver hooks several low-level APIs in order to hide its file and registry entries and hinder detection and removal. The driver only hides itself, it does not attempt to hide the dropper’s file or registry entry.
Analysis by Tim Liu and Hamish O'Dea
Prevention
