My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Sysbug.A

LOW
MEDIUM
11808 (25 KB when unpacked)
(-)

Symptoms

- the file sysdeb32.exe in the Windows folder;
- the registry key HKLM\ Software\Microsoft\Windows\CurrentVersion\Run\SystemDebug pointing to that file;
- file temp35.txt in C:\ and file svc.sav in the Windows folder.

Removal instructions:

Manual Removal
Remove the registry entry specified in the Symptomps section; restart the computer and delete the files specified there.

Automatic Removal
Let BitDefender delete infected files.

Analyzed By

Bogdan Dragu BitDefender Virus Researcher

Technical Description:

This backdoor is compiled with LCC and packed with UPX; it sends information with a remote site and allows that site to specify the location of a file to download and execute; it also allows connections to the computer on port 5555. It does not self replicate (it is not a virus).

When run, it will copy itself as sysdeb32.exe in the Windows folder and create the registry entry HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemDebug so that the backdoor is run at Windows start-up. It will continue execution from that location.

It calls the RegisterServiceProcess function to hide itself from the task list on Windows 9x systems.

It prepares information about the dial-up connections, email accounts, Windows version, user etc. in c:\temp35.txt; it will store some hashes for this information in svc.sav in the Windows folder.

A (hidden) window is created and a timer message is sent to it every 5 seconds; upon receiving it, the backdoor checks to see if the computer is connected to the Internet (by trying to resolve "www.kernel.org" to an IP); if it is, the backdoor will communicate with finance.red-host.com to:

- get the URL of a file to download and execute from finance.red-host.com/events.php (the following data is sent: an unique ID based on the process ID and the tick count, the IP, the connection speed - the time needed to connect to www.kernel.org and exchange some data with this site - and the number of times the timer message has been received);

- post the information in c:\temp35.txt to finance.red-host.com/showinfo.php (if successful, the backdoor will wait for 3 minutes before looping again).

A thread is used to listen to incoming connections on TCP port 5555; for each client that connects, an additional thread is used to exchange information with it; based on this information, the backdoor may connect to the client's specified IP and port.