First posted on 01 March 2007.
Source: SecurityHome
Saburex.A is also known as Virus.Win32.Saburex.a, Win32.Fidcop.Gen.
Saburex.A copies itself to the Windows folder and outputs a message.
cription
Once an executable file is infected by Saburex.A , it will drop its DLL component into the temporary folder as:
- [Random Incremental Number].tmp
It is then executed using Microsoft rundll32:
- rundll32 %temp%[Random Incremental Number].tmp,a [Path and Filename of Infected Executable]
There are some instances where the malware's DLL component fails to execute. This is due to Windows memory protection. It is probable that an error message will appear.
Sample screenshot:
Once the DLL has been executed properly, it drops a copy of itself into the windows system directory:
If the executed copy is not one of the dropped filenames, it will then delete the executed copy with the help of a temporary batch file created in the temporary folder as:
As a launch point, Saburex.A adds the following registry entry:
- HKEY_CLASSES_ROOTSoftwareClassesCLSID{00021401-0000-0000-C000-000000000046}InProcServer32
@ = shell32.dll
@ = ole16.dll
Saburex.A checks the following event name to ensure that only one instance of its DLL component is running in memory:
Saburex.A starts looking for files by randomly checking for logical drives until it matches the following drive type:
Saburex.A will start searching for files from the root directory using the following wildcard:
Saburex.A avoids directory or files starting with the following strings:
- _restore
- documents and
- music
- program files
- win
Saburex.A only infects files with the following extension:
Saburex.A infects files with a file size larger than 80000 hex or 524,288 Bytes. File size checking is done several times.
Saburex.A overwrites a block in the first section of the host file and hides it by appending it at the end of the last section together with its virus code.
It creates several temporary files in the root directory as well as in the system's designated temporary folder. The files contain virus code fragments and hosts file codes. They are used to form newly infected files. File infection is performed utilizing Microsoft Cab APIs.
Saborex.A encrypts its strings using a simple XOR routine.
Last update 01 March 2007
TOP