Select local site

| Japanese | Simplified Chinese | Traditional Chinese (Hong Kong) | Traditional Chinese (Taiwan)

F-Secure Malware Information Pages: Saburex.A
[Summary] | [Disinfection] | [Detailed Description] | [Detection]

Name : Saburex.A
Alias:Virus.Win32.Saburex.a, Win32.Fidcop.Gen
Type:Virus
Category:Malware
Platform:W32
Date of Discovery:December 10, 2006
Radar

Summary
Saburex.A copies itself to the Windows folder and outputs a message.
Back to the Top

Disinfection

Automatic Disinfection

Usually viruses infecting boot and executable files are automatically disinfected by F-Secure Anti-Virus (FSAV). In some cases, when automatic disinfection is not possible due to file corruption or overwriting virus, a user can select disinfection action by themselves so that the FSAV can rename or delete an infected file. In some special cases, it is recommended to use specific disinfection tools provided by F-Secure. They can be downloaded from our web or ftp sites:

http://www.f-secure.com/download-purchase/tools.shtml

ftp://ftp.f-secure.com/anti-virus/tools/

F-Secure Anti-Virus can be purchased from our webshop or from our authorized distributors. A trial version F-Secure Anti-Virus, limited to 30 days, can be downloaded from our website:

http://www.f-secure.com/download-purchase/

All the latest versions of FSAV can download the anti-virus database updates automatically. However, these updates can be also downloaded and installed manually from our web or ftp sites:

http://www.f-secure.com/download-purchase/updates.shtml

Manual Disinfection

It is not recommended to manually disinfect the files and boot sectors from viruses as it can cause damage to a system and make it unbootable.

System Restore issues and file viruses

If Windows ME or XP is used, it is recommended to disable System Restore feature of these operating systems to prevent a computer from re-infection by an already removed malware. The fact is that System Restore feature of these operating systems might save an infected file into a special folder and copied it back to a hard drive every time it has been renamed or deleted by F-Secure Anti-Virus or by a user. Instructions on how to disable System Restore features are available here:

Windows ME:

http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:

http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

It is recommended to re-enable System Restore features after disinfection in order to restore a stable system configuration, in case any crash or incompatibility issue occurs in the future.
Back to the Top

Detailed Description
Once an executable file is infected by Saburex.A , it will drop its DLL component into the temporary folder as:

  • [Random Incremental Number].tmp

It is then executed using Microsoft rundll32:

  • rundll32 %temp%\[Random Incremental Number].tmp,a [Path and Filename of Infected Executable]

There are some instances where the malware's DLL component fails to execute. This is due to Windows memory protection. It is probable that an error message will appear.

Sample screenshot:





Once the DLL has been executed properly, it drops a copy of itself into the windows system directory:

  • ole16.dll
  • shell32.dll

If the executed copy is not one of the dropped filenames, it will then delete the executed copy with the help of a temporary batch file created in the temporary folder as:

  • [3 Random Numbers].bat

As a launch point, Saburex.A adds the following registry entry:

  • HKEY_CLASSES_ROOT\Software\Classes\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32
    @ = shell32.dll
    @ = ole16.dll


Saburex.A checks the following event name to ensure that only one instance of its DLL component is running in memory:

  • ~DF

Saburex.A starts looking for files by randomly checking for logical drives until it matches the following drive type:

  • Fixed Drive

Saburex.A will start searching for files from the root directory using the following wildcard:

  • *.*

Saburex.A avoids directory or files starting with the following strings:

  • _restore
  • documents and
  • music
  • program files
  • win

Saburex.A only infects files with the following extension:

  • .EXE

Saburex.A infects files with a file size larger than 80000 hex or 524,288 Bytes. File size checking is done several times.

Saburex.A overwrites a block in the first section of the host file and hides it by appending it at the end of the last section together with its virus code.

It creates several temporary files in the root directory as well as in the system's designated temporary folder. The files contain virus code fragments and hosts file codes. They are used to form newly infected files. File infection is performed utilizing Microsoft Cab APIs.

Saborex.A encrypts its strings using a simple XOR routine.
Back to the Top

Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2006-12-10_01.
Back to the Top



F-Secure Corporation

Last Modified: December 13, 2006