1. Symantec/
  2. Security Response/
  3. Trojan.Sasfis


Risk Level 1: Very Low

February 2, 2010
January 20, 2012 12:28:26 PM
Also Known As:
W32/Oficla.AE [F-Secure], Backdoor.Win32.Bredavi.he [Kaspersky], Trojan.Win32.Agent.daec [Kaspersky]
Infection Length:
19,456 bytes
Systems Affected:
Trojan.Sasfis is a Trojan horse that opens a back door on the compromised computer.

The Trojan may arrive as a spammed email. Once executed, it injects itself into processes running on the computer so that it can operate stealthily. It may then download more files on to the compromised computer.


Trojan.Sasfis typically arrives on the computer through one of the following methods:
  • Spam email
  • Drive-by downloads

Spam email is one of the primary infection methods used to distribute this threat. The emails used to spread this threat commonly social engineering to mislead the user into opening, and unknowingly executing, the attachment.

The following topics have been observed in past campaigns:
  • Changelogs
  • Fees

A drive-by-download may occur when a user visits a website that has been rigged to contain a number of exploits. The exploits cause malware to be downloaded on to the user's computer without his or her consent.

Trojan.Sasfis may use Microsoft Word to execute itself and it also injects itself into legitimate processes on the computer in order to avoid detection. After the Trojan has been installed on the compromised computer, it connects with a command and control (C&C) server to register itself as a bot. The Trojan then awaits instructions from the C&C server, which is typically to download additional files and malware on to the computer.

Often, malware authors, such as fake antivirus software, do not have the resources or bandwidth to spread their malware on a large scale. Instead they rely on a network of affiliates, e.g. the owners of the Trojan.Sasfis botnet, to distribute the malware. In return, the owners of the botnet get paid a commission for every installation. More information on this pay-per-install concept can be found in this Symantec whitepaper.

Trojan.Sasfis overview
The following illustration details the infection method and functionality of the threat:

Symantec has observed the following geographic distribution of this threat.

Symantec has observed the following infection levels of this threat worldwide.

The following content is provided by Symantec to protect against this threat family.

Antivirus signatures

Antivirus (heuristic/generic)

Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version February 2, 2010 revision 007
  • Latest Rapid Release version March 18, 2018 revision 023
  • Initial Daily Certified version February 2, 2010 revision 035
  • Latest Daily Certified version March 18, 2018 revision 035
  • Initial Weekly Certified release date February 3, 2010
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Éamonn Young and Eoin Ward

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube