Home / malwarePDF  

Backdoor:WinNT/Syzor.A


First posted on 16 March 2009.
Source: SecurityHome

Aliases :

Backdoor:WinNT/Syzor.A is also known as Also Known As:Rootkit.Agent.AITB (BitDefender), Win32/Vundo.CBG (CA), Rootkit.Win32.Agent.csr (Kaspersky), Rootkit/Keylogger.EV (Panda), Backdoor.Syzoor (Symantec).

Explanation :

Backdoor:WinNT/Syzor.A is a backdoor trojan that may be dropped by other malware. It may collect system information and log keystrokes, and hooks certain functions to hinder its detection and removal.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Backdoor:WinNT/Syzor.A is a backdoor trojan that may be dropped by other malware. It may collect system information and log keystrokes, and hooks certain functions to hinder its detection and removal.
InstallationBackdoor:WinNT/Syzor.A is a backdoor trojan that is usually dropped by TrojanDropper:Win32/Syzor.A in the Windows drivers folder with a random file name. It modifies the system registry so that it automatically runs every time Windows starts, even when in Safe Mode: Adds value: "ImagePath"
With data: "<system folder>drivers<malware name>.sys"
To subkeys:
HKLMSYSTEMControlSet001Services<malware name>.sys
HKLMSYSTEMControlSet001ControlSafeBootMinimal<malware name>.sys
HKLMSYSTEMControlSet001ControlSafeBootNetwork<malware name>.sys For example: Adds value: "ImagePath"
With data: "<system folder>driversojrsxjr6gqh.sys"
To subkey: HKLMSYSTEMControlSet001Servicesojrsxjr6gqh.sys
HKLMSYSTEMControlSet001ControlSafeBootMinimalojrsxjr6gqh.sys
HKLMSYSTEMControlSet001ControlSafeBootNetworkojrsxjr6gqh.sys

Payload
Advanced Stealth RoutineWhen loaded, WinNT/Syzor.A may hook the functions 'IRP_MJ_CREATE', 'IRP_MJ_READ', and 'IRP_MJ_WRITE' for the following devices:

  • Filesystem
    tfs
  • Filesystemfastfat
  • Driverdisk
  • This action results in denial for every attempt to access the driver file. Backdoor FunctionalityWinNT/Syzor.A may also inject a DLL file into the 'services.exe' process to monitor and log keystrokes, active windows, and other system information. It may then connect to 'update-product.net' to send the gathered information.

    Analysis by Andrei Florin Saygo

    Last update 16 March 2009

     

    TOP