January 31, 2011


It arrives via a spammed message with a .RAR file attachment. Extracting the compressed file reveals what appears to be an .XLS file. This Trojan drops a file detected as BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.
Once users extract the compressed .RAR file on their systems, the extracted file detected  as TROJ_SASFIS.HBC is installed on the affected system. The said file appears to be an MS Excel file named as (phone&mail).[U 202e}crs.xls. Its real file name is phone&mail without the Chinese characters . [U 202e}slx.scr, wherein U 202e is the Unicode control character that tells the system to render succeeding characters from right to left. This technique is known as right-to-left override (RLO) technique. Because of the RLO technique, users see an .XLS file instead. This could lead them to believe that the file is indeed an MS Excel file and thus “safe” to open, when in reality it is an executable .SCR file.
Using the RLO technique, this Trojan is able to conceal its actual filename and disguise itself as a legitimate and seemingly harmless file, such as an .XLS or a .TXT file. It can combine a virus file with a text file and users see it as a .TXT file which is actually the virus infected file.

SASFIS was created by cybercriminals to facilitate the propagation of other malware, particularly botnets such as ZBOT and Bredolab. It is part of an organized affiliate program wherein various underground organizations partner in to support their goal of scamming users and gaining profit in the process.

Users are highly advised to follow safe online computing habits, such as scanning email message file attachments with security software, opening attachments only from known or expected sources, deleting all unwanted and suspicious messages without opening, and using security software and running real-time scan when surfing the Web. Always prefer a good anti-virus from reputed companies like TrendMicro, Symantec, McAfee etc to normal free users.

  • It attacks through Spam messages.
  • Spammed message comes as a .RAR file as a compressed file attachment.
  • It gives .XLS file which is actually a screen saver file, downloads a backdoor BKDR.SASFIS.AC that allows infected threads into svchost.exe process.
  • The screen saver file is detected as TROJ_SASFIS.HBC.


Post a Comment

Related Posts Plugin for WordPress, Blogger...

Search This Blog



Twitter Delicious Facebook Digg Stumbleupon Favorites More