Printer Friendly Page

Discovered: February 02, 2010
Updated: January 20, 2012 12:28:26 PM
Also Known As: W32/Oficla.AE [F-Secure], Backdoor.Win32.Bredavi.he [Kaspersky], Trojan.Win32.Agent.daec [Kaspersky]
Type: Trojan
Infection Length: 19,456 bytes
Systems Affected: Windows

Trojan.Sasfis is a Trojan horse that opens a back door on the compromised computer.

The Trojan may arrive as a spammed email. Once executed, it injects itself into processes running on the computer so that it can operate stealthily. It may then download more files on to the compromised computer.


Trojan.Sasfis typically arrives on the computer through one of the following methods:

  • Spam email
  • Drive-by downloads

Spam email is one of the primary infection methods used to distribute this threat. The emails used to spread this threat commonly social engineering to mislead the user into opening, and unknowingly executing, the attachment.

The following topics have been observed in past campaigns:
  • Changelogs
  • Fees

A drive-by-download may occur when a user visits a website that has been rigged to contain a number of exploits. The exploits cause malware to be downloaded on to the user's computer without his or her consent.

Trojan.Sasfis may use Microsoft Word to execute itself and it also injects itself into legitimate processes on the computer in order to avoid detection. After the Trojan has been installed on the compromised computer, it connects with a command and control (C&C) server to register itself as a bot. The Trojan then awaits instructions from the C&C server, which is typically to download additional files and malware on to the computer.

Often, malware authors, such as fake antivirus software, do not have the resources or bandwidth to spread their malware on a large scale. Instead they rely on a network of affiliates, e.g. the owners of the Trojan.Sasfis botnet, to distribute the malware. In return, the owners of the botnet get paid a commission for every installation. More information on this pay-per-install concept can be found in this Symantec whitepaper .

Trojan.Sasfis overview
The following illustration details the infection method and functionality of the threat:

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version February 02, 2010 revision 007
  • Latest Rapid Release version August 03, 2019 revision 007
  • Initial Daily Certified version February 02, 2010 revision 035
  • Latest Daily Certified version August 04, 2019 revision 002
  • Initial Weekly Certified release date February 03, 2010

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Avoid emails with .zip attachments
2. Infection method
2.1 Spam email
2.2 Drive-by downloads
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Affiliate schemes
4. Additional information

The following actions can be taken to avoid or minimize the risk from this threat.

1.1 User behavior and precautions
Use of a firewall or IDS may block or detect back door server communications with the remote client application.

Users should be wary of any unsolicited emails whether from known or unknown sources. Be particularly wary if the email includes a tracking number, describes a change log, or provides a statement of fees and involves opening attachments.

1.2 Avoid emails with .zip attachments
Trojan.Sasfis may arrive on the computer as an attachment with a .zip extension. Typically the .zip file contains an executable file inside. The Trojan only executes after the file inside the attachment is extracted and then run by the user. Therefore it is relatively easy for users to avoid this Trojan (and indeed other malware) by simply not opening such file types.

To reduce the risk of infection, email gateways can be configured to block email with certain types of attachments such as .exe and .zip files.

Trojan.Sasfis typically arrives on the computer through one of the following methods:

  • Spam email
  • Drive-by downloads

A more detailed description of how the threat employs these techniques is provided in the following sections.

2.1 Spam email
One of the most common ways for this Trojan to arrive on a computer is as an attachment to a spammed email. The volume of spam emails is high and the contents are frequently changed and updated. The following are some representative samples of the types of emails that contain a copy of the threat.

Your log [DATE]

Email body
Good afternoon,
as promised your changelog is attached,



Changelog [DATE]

Email body
Dear ladies and gentlemen,
as promised,



Your fees 2010

Email body
Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.
Kind regards.


Other known attachments
  • iTunes_certificate[RANDOM NUMBER].exe

The .zip files typically contain another file, which is a copy of the threat. Whilst the file may at first appear to be a legitimate file, it is just a disguise that is achieved through using legitimate icons and double file extensions. For example, on a computer configured to hide file extensions, a file named Fees_2010.DOC.exe will appear as Fees_2010.DOC. This is a common trick used by malware to hide the real file extension of the executable file from unsuspecting users.

The executable file is packed and variants of the threat are usually just the original file repacked in an attempt to avoid detection by antivirus software.

2.2 Drive-by downloads
Trojan.Sasfis is known to be spread by websites that exploit known vulnerabilities in Web browsers and their associated plugins. These exploits are often served by exploit kits available in the underground market (e.g. Eleonore, Fragus , Phoenix) and as such need not necessarily be crafted by individuals with a high degree of technical ability. The exploits used by these kits may vary as they are modular by design. This means that the attackers can buy new exploits for their website as they become available for purchase.

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent. This Trojan has been observed to be downloaded on to a computer through this method from the following locations:
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]

This method can also use more than one exploit to target the following technologies in order to further its chance of success:
  • ActiveX
  • DirectShow
  • Flash
  • PDF
  • Snapshotviewer

Furthermore, a target computer is typically bombarded with many exploits until one is successful in compromising the computer. In doing this, the attackers illustrate their determination to break into the computer by any means possible.

When this Trojan is executed, it may check whether Microsoft Word is installed on the compromised computer. If it is, the Trojan opens a .tmp file, which contains a VBA script, and executes it.

In order to disguise itself as a legitimate application, Trojan.Sasfis may inject itself into the following common processes, which allows it to bypass firewalls:
  • iexplore.exe
  • svchost.exe

Once successfully installed on the computer and executed, the Trojan opens a back door. It may then receive commands from a command and control (C&C) server telling it to perform various actions on the computer. Primarily, Trojan.Sasfis downloads more files on to the computer. The URL locations that the Trojan downloads files from are stored under the following registry subkey:


The Trojan creates a registry entry named "url[NUMBER]", where [NUMBER] is "1", "2", "3", "4", etc. It points to a hexadecimal string, which, when decrypted, is a website address. This address may point to a server that hosts more malware or updates for the Trojan itself, or updates for the other malware that has been downloaded on to the computer. For example:

HKEY_CLASSES_ROOT\idid\"url2" =
"68 74 74 70 3A 2F 2F 6F 70 74 2D 6F 75 74 2D 6C 69 73 74 2E 6F 72 67 2F 66 75 6C 6C 2F 62 62 2E 70 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8C E6 07 00 6C E6 07 00 00 00 00 00 48 E7 07 00 9C E6 07 00 7C E6 07 00 A4 67 91 7C D4 E6 07 00 00 00 00 00 18 00 1A 00 EC E7 07 00 74 C1 97 7C 00 00 00 00 AC E6 07 00 00 00 02 00 A0 E6 07 00 A0 E6"

Note: Side effects created by associated threats are not included in this report.

3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.

Files/folders created
  • %Temp%\1.tmp

[RANDOMLY NAMED FILE] is a variable for the file name. It is made up of a random four-letter file name and a random three-letter file extension.

Files/folders deleted
The Trojan deletes the original executable.

Files/folders modified

Registry subkeys created

Registry subkeys/entries deleted

Registry subkeys/entries modified (final values given)

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = " Explorer.exe rundll32.exe %System%\[RANDOMLY NAMED FILE] [FIVE OR SIX RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\"AccessVBOM" = "1"

The Trojan may inject itself into the following processes:
  • iexplore.exe
  • svchost.exe

3.2 Network activity
Trojan.Sasfis opens a back door. It can then receive commands to download more files on to the compromised computer.

The threat may perform the following network activities.

The Trojan may download other files and updates on to the computer from the following locations:
  • [http://][REMOVED]
  • [http://][REMOVED]
  • [http://][REMOVED]

3.3 Affiliate schemes
The Trojan mostly downloads various security risks on to the compromised computer, for example Antimalware Doctor and Adware.PurityScan . This could mean that the authors of Trojan.Sasfis may be participants of some affiliate scheme, providing a pay-per-install distribution service for certain misleading application vendors and earning a commission in the process.

For more information relating to this threat family, please see the following resource:
Blogs on Trojan.Sasfis


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.

If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Éamonn Young and Eoin Ward