Virus:Win32/Sapaq.A is Microsoft's detection for a virus that infects Windows executable files. It can also spread by copying itself into logical drives and network shares.
Installation
Virus:Win32/Sapaq.A drops itself as <system folder>\drivers\TXPlatform.exe. It modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "Explorer"
With data: "<system folder>\drivers\TXPlatform.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Spreads via...
File infection
Virus:Win32/Sapaq.A infects executable files with the following extensions, even those within .RAR archives:
.COM
.EXE
.PIF
.SCR
It avoids infecting the file NTDETECT.COM and files within folders containing the following strings:
Common Files
ComPlus Applications
Documents and Settings
InstallShield Installation Information
Internet Explorer
Messenger
Microsoft Frontpage
Movie Maker
MSN
MSN Gamin Zone
NetMeeting
Outlook Express
Recycled
System Volume Information
system32
WINDOWS
Windows Media Player
Windows NT
WindowsUpdate
WINNT
WinRAR
Logical drives
Virus:Win32/Sapaq.A enumerates and replicates through removable, fixed, and mapped drives except for drives A: and B:. For drives it finds, it drops a copy of itself as ¡¡¡¡¡¡.exe as well as a file named autorun.inf that enables its dropped copy to automatically run when the drive is accessed and AutoRun is enabled.
Network shares
Virus:Win32/Sapaq.A enumerates network shares that it can write to. For shares it finds, it drops a copy of itself as Cool_GameSetup.exe. If credentials are needed to access the share, it uses the following list of passwords to access the share:
0
000000
007
1
110
111
1111
111111
11111111
12
121212
123
123123
1234
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
1313
2002
2003
2112
2600
5150
520
5201314
54321
654321
6969
7777
88888888
901100
a
aaa
abc
abc123
abcd
admin
admin
admin123
Administrator
alpha
asdf
baseball
ccc
computer
database
enable
fish
fuck
fuckyou
god
godblessyou
golf
Guest
harley
home
ihavenopass
letmein
login
love
mustang
mypass
mypass123
mypc
mypc123
owner
pass
passwd
password
pat
patrick
pc
pussy
pw
pw123
pwd
qq520
qwer
qwerty
Root
server
sex
shadow
super
sybase
temp
temp123
test
test123
win
xp
xxx
yxcv
zxcv
Payload
Modifies system settings
Virus:Win32/Sapaq.A modifies certain system settings, such as the following:
- Changes the way hidden files are displayed:
Adds value: "CheckedValue"
With data: "0x00000000"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
- Disables Autoplay on drives of unknown type:
Adds value: NoDriveTypeAutoRun
With data: "0x00000080"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Terminates or deletes security services and applications
Virus:Win32/Sapaq.A terminates services containing the following strings:
360Safe.exe
360safebox.exe
360tray.exe
AVP
ccEvtMgr
ccProxy
ccSetMgr
FireSvc
kavsvc
KPfwSvc
McAfeeFramework
McShield
McTaskManager
MskService
navapsvc
NPFMntor
RsCCenter
RsRavMon
safeboxTray.exe
Schedule
sharedaccess
SNDSrvc
SPBBCSvc
Symantec Core LC
wscsvc
It also deletes the following registry entries connected to security services, if found:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVP
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kav
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\McAfeeUpdaterUI
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Network Associates
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShStatEXE
Modifies Web scripts
Virus:Win32/Sapaq.A searches for certain Web scripts in the system with the following extensions:
.ASP
.ASPX
.HTM
.HTML
.JSP
.PHP
When found, it appends an IFrame link to these files. Modifies files are detected as
Virus:HTML/Sapaq.A.
Drops other malware
Virus:Win32/Sapaq.A drops a driver component as
QQ.sys into the root folder of the system drive and registers it as a service. This driver component is detected as
VirTool:WinNT/Small. The service name for this component is 'RESSDT'.
Downloads other malware
Virus:Win32/Sapaq.A connects to a certain Web site to download a text file. This text file contains links on where this virus can download other malware. A site that some samples are know to connect to is 'www.52cps.com'.
Additional Information
Virus:Win32/Sapaq.A drops the non-malicious file Desktop_1.ini containing the current date into folders that contain files it has infected.
It also checks if it is running in a virtual environment or if the following applications are currently running:
CaptureNet
ComnView
Dsniff
MiniSniffer
PeepNet
SmartSniff
Sniff
Sniffer
spynet
Winsock Expert
If this is the case, it avoids accessing the Internet.
Analysis by Jireh Sanico
