Installation
Trojans in the Win32/Sathurbot family are Dynamic Link Library (.dll) files that are injected into running processes to perform their malicious routines.
They are usually bundled with other third-party installers and keygens. They can also be downloaded from malicious or hacked websites, and through peer-to-peer file sharing applications.
We have seen variants bundled with installers and keygens using file names designed to look like legitimate programs. Some of the installers we have seen include:
- 64bit_vuex91.exe
- adobe.cs6.all.products.activator.(x32.y.x64)_up01-MPT.exe
- Awave Studio 10.6.exe
- codec.exe
- elfbowl.exe
- Flash Player 11.0.1.60 Beta 1 (IE).exe
- fo-gpp2.exe
- idman612b.exe
- IPNetCheckerSetup-x64.exe
- Joboshare iPhone Rip Setup.exe
- Keymaker.exe
- K-Lite Codec Pack 9.0.exe
- Mega Codec Pack 9.X.exe
- PATCH.exe
- Platinum Hide IP Setup.exe
- PowerISO5.exe
- SCANNER.EXE
- Setup.exe
- Setup.RemoteDesktopManager.6.1.7.0.exe
- Sknote KickHaas VST v1.09.exe
- sysrc.exe
- typing.master.pro.v7.0.1.763.exe
- uiso9_pe.exe
- Wedding Album Maker Gold 3.50 Portable Serial Key.exe
- WGA Patcher Cyclone 4.0 Setup.exe
- Windows 7 Anytime Upgrade Keygen.exe
- Windows.Loader.v2.1.3.exe
- winrar-32Bit.exe
- x264 Video Codecs XP-Win7.exe
- xf-adsk2013_xXX.exe
- Youtube Video Downloader PRO.exe
The installer could look like one of the following:
We have seen Win32/Sathurbot variants installed with the following file names and folders:
The trojans drop a malicious .dll and run it via rundll32.exe, using the following format:
Where <path> is the folder and file name the trojan was installed to.
They change the following registry entries:
In subkey: HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_CLASSES_ROOT\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32
Sets value: "<default>"
With data: "<path>"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32
Sets value: "<default>"
With data: "<path>"
Win32/Sathurbot is injected to any of the following processes.
- explorer.exe
- explorer64.exe
- regsvr32.exe
- regsvr64.exe
- rundll32.exe
Payload
Contacts a remote server and opens a backdoor
We have seen variants in this family contact a remote server for a possible backdoor routine.
The server is random, but we have seen variants use the following servers:
- aerofix.eu
- cuptstech.eu
- djigurda.eu
- hujpizda.eu
- inuxland.eu
- prosmartraff.eu
- qwertytraff.org
The backdoor can allow a hacker to perform the following actions on your PC:
- Run files
- Update the copy of the trojan
- Get information about your PC
Makes changes to security settings
Win32/Sathurbot can add themselves to your firewall exception list.
We have also seen variants stop the following security programs and services from running:
- MpsSvc
- msascui.exe
- MSC
- MsMpSvc
- msseces.exe
- SharedAccess
- WinDefend
- Windows Defender
- wscsvc
- wuauserv
Downloads other malware
Win32/Sathurbot variants can act as a peer-to-peer client.
It may do this to communicate with the command and control server as part of its backdoor payload.
Analysis by Ric Robielos
