Threat Encyclopaedia
    Print this pageSend
Win32/Saburex.A
Type of infiltration:    virus 
Size:    approximately 13 kB 
Affected platforms:    Microsoft Windows 
Signature database version:    1921 
Short description:    Win32/Saburex.A is a parasitic virus that is able to steal passwords and other sensitive information. 

Installation

The following file is dropped in the %system% folder:

        ole16.dll

Size of the file is 17920 B. In order to be executed on every system start, the virus sets the following Registry entries:

[HKEY_CLASSES_ROOTCLSID{00021401-0000-0000-C000-000000000046}InProcServer32]
default = "ole16.dll"
"ThreadingModel" = "both"

 

If that fails, the following entries are set instead:

[HKEY_CURRENT_USERSoftwareClassesCLSID{00021401-0000-0000-C000-000000000046}InProcServer32]
default = "ole16.dll"
"ThreadingModel" = "both"

 

Executable files infection

The virus searches for executables on local drives. Infection is attempted only if an executable is not in a folder that contains one of the following strings in its name:

        documents and
        music
        program files
        win
        _restore

Several other criteria are applied when choosing a file to infect. The virus overwrites code in the first section of the host. The original code is compressed in a CAB archive and appended to the file. The original host executable can be reconstructed when an infected file is run. Another CAB archive containing the DLL library is appended as well.

Information stealing

The virus collects various information when a certain application is being used. The data is saved in the following Registry key:

HKEY_CURRENT_USERSoftwareMicrosoftMediaPlayerLicences

 

The virus can send the information to a remote machine. The HTTP protocol is used.