My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus


~19 KB


1. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" contains the string
"rundll32.exe ifmq.kqo bmhyn"

2. The presence of a 27KB dll file with 4 random-looking exports (bmhyn, nhccck, ocqbk, plljlt) at
"%USERPROFILE%\Local Settings\Temp\[random digits].tmp" and  "%SYSTEM%\ifmq.kqo"

3. The dll file mentioned above is injected in an instance of svchost.exe

4. MS Word's macro security level is set to low, i.e.
"Software\Microsoft\Office\10.0\Word\Security\Level" = 1
"Software\Microsoft\Office\10.0\Word\Security\AccessVBOM" = 1

5. "HKEY_CLASSES_ROOT\idid\url0" has a binary value

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Horea Coroiu, virus researcher

Technical Description:

Trojan.Sasfis.A is a dropper distributed as an e-mail attachment called
A mail sample follows:

    Dear Facebook user,

    Due to Facebook policy changes, all Facebook users must submit a new, updated account agreement,
    regardless of   their original account start date.
    Accounts that do not submit the updated account agreement by the deadline will have restricted.

    Please unzip the attached file and run “agreement.exe” by double-clicking it.

    The Facebook Team

When executed, it drops a dll file to two locations:
1. %USERPROFILE%\Local Settings\Temp\[random digits].tmp
2. %SYSTEM%\ifmq.kqo

The dll is injected in a new instance of svchost.exe and scheduled to run with an Asynchronous Procedure Call (APC).

It is also added to the system startup by appending the string "rundll32.exe ifmq.kqo bmhyn" to the registry key
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"

If a MS Office installation is detected, the malware will try to run a VB script with OLE automation in the context of MS Word's process. Macro execution is enabled by setting two registry keys:
"Software\Microsoft\Office\10.0\Word\Security\Level" to 1, and
"Software\Microsoft\Office\10.0\Word\Security\AccessVBOM" to 1

The VB script simply executes an export of the dll called "plljlt":
Declare Function plljlt Lib "DLL_PATH"(ByVal s AS String) As Long
Where DLL_PATH is the path of the dll in %USERPROFILE%\Local Settings\Temp

Trojan.Sasfis.A connects to 193.[removed].91 over HTTP in order to update itself and request additional downloads.
A typical full url is "http://193.[removed].91/limpopo/bb.php?id=975407403&v=200&tm=31&b=300"
It contains, among other things a malware version number and an installation identifier.
The server may respond with "[info]delay:45|upd:0|backurls:[/info]" which means that there are no pending updates and no additional files to download.