Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Threat Brief for Trojan.Sasfis

Created: 12 Jul 2010 02:27:43 GMT • Updated: 23 Jan 2014 18:26:37 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

Trojan.Sasfis is not new, having been around since early this year, but we have recently noticed an increase in submission volume. The threat has been taking a fairly consistent approach to compromising computers, mainly in the form of attachments to emails sent out through spam campaigns that utilize not-so-fancy names, such as Amazon_Tracking_Number_N[RANDOM NUMBER][LONG SPACE]DOC.exe and iTunes_certificate[RANDOM NUMBER].exe. The latest Trojan.Sasfis email attachments include Changelog_[DAY]_[MONTH]_2010.zip and Changelog_[DAY]_[MONTH].2010.PDF.zip. Both .zip files contain a .doc and .pdf file respectively, but they aren’t what they appear to be. Those files are actually executable files, having the real extension after a very long space between .pdf/doc and .exe.

Here are some example emails:

Trojan.Sasfis is essentially a back door Trojan that performs various actions when it receives commands from a malicious host. Downloading and installing misleading applications is the most common of these that we have observed to date.

Here is an example of a misleading application Sasfis attempted to install:

If there were this many threats running on the compromised computer it would no doubt run extremely slowly. Interestingly, it does. But not because the computer is infected by all these threats, which of course it isn’t. As the next screenshot shows, when the misleading application is running (as the process “setup715newver0015.exe”) it consumes 94% of CPU resources. No wonder the computer is slow!

To disguise itself as a legitimate application, Trojan.Sasfis injects itself into common processes, such as iexplore.exe and svchost.exe. This will provide the necessary cloaking ability to bypass a firewall.

So our advice is, as always, don’t open attachments unless you are absolutely sure who they are from and what they are.

Further details can be found in our Trojan.Sasfis writeup.