Home / malwarePDF  

Win32/Sathurbot


First posted on 15 March 2014.
Source: Microsoft

Aliases :

There are no other names known for Win32/Sathurbot.

Explanation :

Threat behavior

Installation

Trojans in the Win32/Sathurbot family are Dynamic Link Library (.dll) files that are injected into running processes to perform their malicious routines.

They are usually bundled with other third-party installers and keygens. They can also be downloaded from malicious or hacked websites, and through peer-to-peer file sharing applications.

We have seen variants bundled with installers and keygens using file names designed to look like legitimate programs. Some of the installers we have seen include:

  • 64bit_vuex91.exe
  • adobe.cs6.all.products.activator.(x32.y.x64)_up01-MPT.exe
  • Awave Studio 10.6.exe
  • codec.exe
  • elfbowl.exe
  • Flash Player 11.0.1.60 Beta 1 (IE).exe
  • fo-gpp2.exe
  • idman612b.exe
  • IPNetCheckerSetup-x64.exe
  • Joboshare iPhone Rip Setup.exe
  • Keymaker.exe
  • K-Lite Codec Pack 9.0.exe
  • Mega Codec Pack 9.X.exe
  • PATCH.exe
  • Platinum Hide IP Setup.exe
  • PowerISO5.exe
  • SCANNER.EXE
  • Setup.exe
  • Setup.RemoteDesktopManager.6.1.7.0.exe
  • Sknote KickHaas VST v1.09.exe
  • sysrc.exe
  • typing.master.pro.v7.0.1.763.exe
  • uiso9_pe.exe
  • Wedding Album Maker Gold 3.50 Portable Serial Key.exe
  • WGA Patcher Cyclone 4.0 Setup.exe
  • Windows 7 Anytime Upgrade Keygen.exe
  • Windows.Loader.v2.1.3.exe
  • winrar-32Bit.exe
  • x264 Video Codecs XP-Win7.exe
  • xf-adsk2013_xXX.exe
  • Youtube Video Downloader PRO.exe


The installer could look like one of the following:



We have seen Win32/Sathurbot variants installed with the following file names and folders:

  • \Microsoft\BingDesktop\BingCore\BingDesktopOverlays.dll
  • \Microsoft\Crypto\RSA64\CryptoProvider.dll
  • \Microsoft\Media Tools\MediaIconsOverlays.dll
  • \Windows Codecs\MediaShellOverlays.dll
  • %ProgramFiles% \Common Files\OnlineFilesManager.dll
  • %ProgramFiles% \\Security\Manager\SecurityManager.dll


The trojans drop a malicious .dll and run it via rundll32.exe, using the following format:

  • "%SystemDrive%\rundll32.exe" "",DllInstall


Where is the folder and file name the trojan was installed to.

They change the following registry entries:

In subkey: HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32
Sets value: ""
With data: ""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32
Sets value: ""
With data: ""

In subkey: HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}\InprocServer32
Sets value: ""
With data: ""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}\InprocServer32
Sets value: ""
With data: ""

In subkey: HKEY_CLASSES_ROOT\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32
Sets value: ""
With data: ""

In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32
Sets value: ""
With data: ""

Win32/Sathurbot is injected to any of the following processes.

  • explorer.exe
  • explorer64.exe
  • regsvr32.exe
  • regsvr64.exe
  • rundll32.exe


Payload

Contacts a remote server and opens a backdoor

We have seen variants in this family contact a remote server for a possible backdoor routine.

The server is random, but we have seen variants use the following servers:

  • aerofix.eu
  • cuptstech.eu
  • djigurda.eu
  • hujpizda.eu
  • inuxland.eu
  • prosmartraff.eu
  • qwertytraff.org


The backdoor can allow a hacker to perform the following actions on your PC:

  • Run files
  • Update the copy of the trojan
  • Get information about your PC


Makes changes to security settings

Win32/Sathurbot can add themselves to your firewall exception list.

We have also seen variants stop the following security programs and services from running:

  • MpsSvc
  • msascui.exe
  • MSC
  • MsMpSvc
  • msseces.exe
  • SharedAccess
  • WinDefend
  • Windows Defender
  • wscsvc
  • wuauserv


Downloads other malware

Win32/Sathurbot variants can act as a peer-to-peer client.

It may do this to communicate with the command and control server as part of its backdoor payload.



Analysis by Ric Robielos

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    \Microsoft\BingDesktop\BingCore\BingDesktopOverlays.dll
    \Microsoft\Crypto\RSA64\CryptoProvider.dll
    \Microsoft\Media Tools\MediaIconsOverlays.dll
    \Windows Codecs\MediaShellOverlays.dll
    %ProgramFiles%\Common Files\OnlineFilesManager.dll
    %ProgramFiles%\\Security\Manager\SecurityManager.dll



  • You see these entries or keys in your registry:

    In subkey: HKEY_CLASSES_ROOT\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32
    Sets value: ""
    With data: ""

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1EC23CFF-4C58-458f-924C-8519AEF61B32}\InprocServer32
    Sets value: ""
    With data: ""

    In subkey: HKEY_CLASSES_ROOT\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}\InprocServer32
    Sets value: ""
    With data: ""

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B82655E9-B81D-4A97-8154-0D84A4C048E4}\InprocServer32
    Sets value: ""
    With data: ""

    In subkey: HKEY_CLASSES_ROOT\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32
    Sets value: ""
    With data: ""

    In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24808826-C2BF-4269-B3BA-89D1D5F431A4}\InprocServer32
    Sets value: ""
    With data: ""

  • You can't run these programs:

    MpsSvc
    msascui.exe
    MSC
    MsMpSvc
    msseces.exe
    SharedAccess
    WinDefend
    Windows Defender
    wscsvc
    wuauserv

Last update 15 March 2014

 

TOP

Malware :