1. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" contains the string
"rundll32.exe ifmq.kqo bmhyn"
2. The presence of a 27KB dll file with 4 random-looking exports (bmhyn, nhccck, ocqbk, plljlt) at
"%USERPROFILE%\Local Settings\Temp\[random digits].tmp" and "%SYSTEM%\ifmq.kqo"
3. The dll file mentioned above is injected in an instance of svchost.exe
4. MS Word's macro security level is set to low, i.e.
"Software\Microsoft\Office\10.0\Word\Security\Level" = 1
"Software\Microsoft\Office\10.0\Word\Security\AccessVBOM" = 1
5. "HKEY_CLASSES_ROOT\idid\url0" has a binary value
Please let BitDefender disinfect your files.
Horea Coroiu, virus researcher
Trojan.Sasfis.A is a dropper distributed as an e-mail attachment called agreement.zip
A mail sample follows:
Dear Facebook user,
Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement,
regardless of their original account start date.
Accounts that do not submit the updated account agreement by the deadline will have restricted.
Please unzip the attached file and run “agreement.exe” by double-clicking it.
The Facebook Team
When executed, it drops a dll file to two locations:
1. %USERPROFILE%\Local Settings\Temp\[random digits].tmp
The dll is injected in a new instance of svchost.exe and scheduled to run with an Asynchronous Procedure Call (APC).
It is also added to the system startup by appending the string "rundll32.exe ifmq.kqo bmhyn" to the registry key
If a MS Office installation is detected, the malware will try to run a VB script with OLE automation in the context of MS Word's process. Macro execution is enabled by setting two registry keys:
"Software\Microsoft\Office\10.0\Word\Security\Level" to 1, and
"Software\Microsoft\Office\10.0\Word\Security\AccessVBOM" to 1
The VB script simply executes an export of the dll called "plljlt":
Declare Function plljlt Lib "DLL_PATH"(ByVal s AS String) As Long
Where DLL_PATH is the path of the dll in %USERPROFILE%\Local Settings\Temp
Trojan.Sasfis.A connects to 193.[removed].91 over HTTP in order to update itself and request additional downloads.
A typical full url is "http://193.[removed].91/limpopo/bb.php?id=975407403&v=200&tm=31&b=300"
It contains, among other things a malware version number and an installation identifier.
The server may respond with "[info]delay:45|upd:0|backurls:[/info]" which means that there are no pending updates and no additional files to download.