Abs.Net web Page

Share Your Knowledge, Build your Network..

New Backdoor Virus, Backdoor Syzoor

Posted by Hari Saryono on 8 March 2009


If your antivirus suddenly refuse to run, beware, maybe you got Backdoor Syzoor in your system.

This Backdoor virus is not easily described by it’s name, because the file they created random file name, but if you found vgbj33obieu.sys (84,992 bytes), surely you got backdoor syzoor in your system.

 

Virus Characteristic:

Although your system look well, there’s some indication which can lead to infection of this virus:

  1. Your antivirus is disabled (This backdoor disables AVG, Avira, CA, Outpost, Kaspersky, and Windows Defender security products and also disables Windows Firewall by sending malformed messages to its windows ). So you’ll got a message telling that you got virus in your system.
  2. Your start-up autorun suddenly gone (start-up autorun : file that run automatically when windows load at first time)
  3. Existence weird file name in your c:/windows/system32/drivers. It’s name is RANDOM, but some of them may looks like this:
  • 1exqbgstpnq.sys
  • 1glhvbohoog.sys
  • 2hfeti63bxi.sys
  • 6ysrvyxxnaa.sys
  • dwoivfqybc6.sys
  • ledour1yei3.sys
  • no3kkjcgtts.sys
  • sazecyfk1mg.sys
  • ub6owr1pvlu.sys
  • vgbj33obieu.sys

What This backdoor do?

  1. Attempts to exploit MS vulnerability (MS08-066) that will allow the attacker to gain Administrator privileges.

    This backdoor checks if the current users has Administrator previledges. If the user has no Admin right, this backdoor attempts to exploit MS vulnerability (MS08-066) that will allow the attacker to gain Administrator privileges.

  2. Password-stealing capabilities and can log keystrokes of the system.

    Once running, the hacker is able to perform various tasks, including:

    • retrieve confidential information
    • steal account information from different applications
    • takes snapshot of the system
    • send and/or upload stolen information
    • uninstall application and other malware
    • download and executes other malware locally
    • terminate processes
    • keylogging
    • update itself

    Confidential Information includes the following:

    • system information such as OS installed, useranme, and other global information
    • network information such as netstats, netusers, ip addresses
    • installed applications
    • visited websites and cookies

    Application includes

    • Outlook Express, SMTP, POP3, and IMAP
    • FlashFXP, RimArts, WinProxy, WinAppsPlanet
    • WindowsLive,WebDrive, America Online
    • Google Talk, Google Desktop, Poppy for Windows
  3. Removes other backdoor and other trojans installed in the system.

    It terminates processes and deletes files that contains the following strings:

      • Penis32.exe
      • teekids.exe
      • Microsoft Inet Xp
      • MSBLAST.exe
      • windows auto update
      • mscvb32.exe
      • System MScvb
      • sysinfo.exe
      • PandaAVEngine       
      • taskmon
  4. Disable security related products.
  5. It connects to the following sites:
    1. http://update-product.net
    2. http://updb-update.com
  6. False Alarming
    1. This backdoor tries to identify possible malicious SYS files found in %Windir%/system32/drivers folder and attempts to delete it. Doing so may also delete normal SYS files.

Bad news, isn’t it. Imagine if your bank account password were steal by this virus!

Checking your system :

I recommend  Total Commander to search in your system. Here’s the steps to do so:

  1. Open Total Commander
  2. Do search in your c:/. (see image 1)
  3. In advanced tab, specify file size =84,992 bytes (see image 2)
  4. Start search
  5. If search result is exist, push feed to listbox button. Inspect the file name found, is it has weird name like I describe before. You can just spying this file content by applying CTRL+Q command or go to tab : show/quick view panel.
  6. In my case, no such file found, but in image 3 you can see such result when I applying Quick View. Check the file content if you can find some interesting string which lead to virus identification (I don’t have any virus sample, so I can’t tell you what this virus looks like)

 

How to Remove it

As I said before, i don’t have any virus sample, but according to what I’ve read, here’s the step I suggest to remove it manually (Do for your own risk)

  1. Unplug your LAN Cable
  2. Ctrl+Alt+Delete to show your task manager
  3. Search weird process name like you’ve found in above step (for example : vgbj33obieu?)
  4. Kill this process
  5. Open your Total Commander again, and then go to c:/windows/system32/driver/ where this file exist
  6. Delete this file ( in this example vgbj33obieu.sys)
  7. Open your registry using start/run/ and type : regedit
  8. Push CTRL +F, search vgbj33obieu. Delete every occurence of this string (there’s more than 10 occurence. Use F3 to do so
  9. Download antivirus or update your antivirus. I recommend AVIRA or Kaspersky
  10. Restart your computer

References :

  1. http://blogs.techrepublic.com.com/security/?p=960
  2. http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=215800583&cid=RSSfeed
  3. http://vil.nai.com/vil/content/v_153801.htm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: