Win32/Sazoora [Threat Name] go to Threat

Win32/Sazoora.A [Threat Variant Name]

Category trojan
Size 509709 B
Detection created Aug 28, 2012
Signature database version 7424
Aliases PWS:Win32/Zbot.AHY (Microsoft)
Short description

Win32/Sazoora.A is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

When executed, the trojan copies itself into the following location:

  • %appdata%\­WinHost\­svchost.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WindowsHost" = "%appdata%\­WinHost\­svchost.exe"

The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­svchost\­WinHost]
    • "path" = "%appdata%\­WinHost\­svchost.exe"
    • "guid" = "%variable%"
    • "installed" = 1
    • "scan" = 1
    • "count" = %number%

A string with variable content is used instead of %variable% .

Information stealing

Win32/Sazoora.A is a trojan that steals sensitive information.


The following information is collected:

  • login user names for certain applications/services
  • login passwords for certain applications/services

It can execute the following operations:

  • modify network traffic
  • monitor network traffic

The following programs are affected:

  • Internet Explorer
  • Mozilla Firefox
  • Google Chrome

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (3) URLs. The HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.