Virus Profile: Srizbi

Threat Search

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	8/6/2007
Date Added:	8/6/2007
Origin:	N/A
Length:	varies
Type:	Trojan
Subtype:	Rootkit
DAT Required:	5091
Removal Instructions

Overview
Virus Characteristics
Removal Instructions

Description

This detection is for a trojan that drops a rootkit component to hide the files and registry entries created by it.

Indication of Infection

Presence of the above hidden registry key and files.

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.
However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction.

Aliases

Trojan.Win32.Pakes.cmk (F-Secure), Trojan.Win32.Pakes.cmk (Kaspersky), Win32/Srizbi.Gen (NOD32)

View Virus Characteristics

Virus Characteristics

This detection is for a trojan that drops a rootkit component to hide the files and registry entries created by it.

Upon execution, this trojan drops the following files.

%windir%\system32\drivers\grande48.sys
%windir%\system32\drivers\<RANDOM name>.sys

The dropped SYS file is detected as Srizbi.sys trojan.

The trojan drops following file and executes it to delete itself.

%temp%\_it.bat

It creates the following hidden service entries to load its rootkit component.

HKLM\System\currentcontorlset\services\grande48
HKLM\System\currentcontorlset\services\<RANDOM name>

It hooks the 'IRP_MJ_DIRECTORY_CONTROL' routine of NTFS file system driver to hide its files.

It hooks following kernel routines to hide its registry keys.

ZwEnumerateKey
ZwOpenKey

The rootkit component of this trojan will be loaded in Windows safe mode also.

It connects to the following remote web server to download email addresses to send spam.
and uploads last crash dump file from %windir%\minidump folder.

Ip Address : 208.72.168.xxx
port : 4099

Back To Overview View Removal Instructions

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.
Additional Windows ME/XP removal considerations