F-Secure Virus Descriptions : Zasil.B
| NAME: | Zasil.B |
| ALIAS: | Windows-Update, Critical Security Hole, Windows Update |
Zasil.B trojan downloader appeared on 25th of June 2003. The
following e-mail message was sent to a large amount of people:
Subject:
IMPORTANT!! Critical security hole in Windows!
Body:
Dear Windows User!
New Windows 9x/2000/NT/XP critical patch has been released.
Due to security problems, your system needs to be updated as earlier as
possible.
You can download an update patch on Windows Update site:
http://www.windows-update.com Best regards, Windows Update Group
When a recipient clicks on the provided link, his browser
connects to the fake windows update site, downloads and activates
a file named UPDATE0932.EXE. That file is a downloader called
Zasil.B. The downloader connects to another website and fetches
the RQ.TXT file. This plain text file contains a link to another
executable file. According to reports the RQ.TXT file originally
contained a link to WINPWR32.EXE file which is an installation
package with a lot of hacker tools and IRC trojans inside. But
after some time the contents of RQ.TXT file were changed. At the
moment of writing of this description the file contains a link to
SVSGHOST.EXE file which is an IRC backdoor (hacker's remote
access tool).
Zasil browses the contents of RQ.TXT file, downloads and
activates the backdoor file mentioned there. As a result a user's
computer becomes infected.
F-Secure Anti-Virus detects the backdoor generically as
'Backdoor.SdBot.gen' with the latest updates. Detection for
Zasil.B downloader will be added shortly.
[Description: F-Secure Anti-Virus Research Team; F-Secure Corp.; June 25th, 2003]
|
