1. /
  2. Security Response/
  3. Trojan.Sasfis

Trojan.Sasfis

Risk Level 1: Very Low

Discovered:
February 2, 2010
Updated:
January 20, 2012 12:28:26 PM
Also Known As:
W32/Oficla.AE [F-Secure], Backdoor.Win32.Bredavi.he [Kaspersky], Trojan.Win32.Agent.daec [Kaspersky]
Type:
Trojan
Infection Length:
19,456 bytes
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Trojan.Sasfis is a Trojan horse that opens a back door on the compromised computer.

The Trojan may arrive as a spammed email. Once executed, it injects itself into processes running on the computer so that it can operate stealthily. It may then download more files on to the compromised computer.


Infection

Trojan.Sasfis typically arrives on the computer through one of the following methods:
  • Spam email
  • Drive-by downloads

Spam email is one of the primary infection methods used to distribute this threat. The emails used to spread this threat commonly social engineering to mislead the user into opening, and unknowingly executing, the attachment.

The following topics have been observed in past campaigns:
  • Changelogs
  • Fees

A drive-by-download may occur when a user visits a website that has been rigged to contain a number of exploits. The exploits cause malware to be downloaded on to the user's computer without his or her consent.


Functionality
Trojan.Sasfis may use Microsoft Word to execute itself and it also injects itself into legitimate processes on the computer in order to avoid detection. After the Trojan has been installed on the compromised computer, it connects with a command and control (C&C) server to register itself as a bot. The Trojan then awaits instructions from the C&C server, which is typically to download additional files and malware on to the computer.

Often, malware authors, such as fake antivirus software, do not have the resources or bandwidth to spread their malware on a large scale. Instead they rely on a network of affiliates, e.g. the owners of the Trojan.Sasfis botnet, to distribute the malware. In return, the owners of the botnet get paid a commission for every installation. More information on this pay-per-install concept can be found in this Symantec whitepaper.


Trojan.Sasfis overview
The following illustration details the infection method and functionality of the threat:




GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.









PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.






SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.

Antivirus signatures


Antivirus (heuristic/generic)


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version February 2, 2010 revision 007
  • Latest Rapid Release version June 24, 2014 revision 006
  • Initial Daily Certified version February 2, 2010 revision 035
  • Latest Daily Certified version August 12, 2013 revision 003
  • Initial Weekly Certified release date February 3, 2010
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Low
  • Threat Containment: Easy
  • Removal: Easy

Damage

  • Damage Level: Medium
  • Payload: Opens a back door.
    Downloads and executes files.

Distribution

  • Distribution Level: Low
Writeup By: Éamonn Young and Eoin Ward

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver