W32/Sysbug.A

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Sysbug.A.Trojan

Information about the W32/Sysbug.A.Trojan:

W32/Sysbug.A is a Backdoor Trojan. The trojan has the capability of stealing the critical information of the infected system. The trojan spreads through email.

It arrives with the following subject:

Re[2]: Mary

The from address of the infected mail will be james2003@hotmail.com

The body of the infected mail will be:

Hello my dear Mary,

I have been thinking about you all night. I would like to
apologize for the other night when we made beautiful love and did
not use condoms. I know this was a mistake and I beg you to
forgive me.

I miss you more than anything, please call me Mary, I need you.
Do you remember when we were having wild sex in my house? I
remember it all like it was only yesterday. You said that the
pictures would not come out good, but you were very wrong, they
are great. I didn't want to show you the pictures at first, but
now I think it's time for you to see them. Please look in the
attachment and you will see what I mean.

I love you with all my heart, James.

The infected mail carries an attachment Private.zip which contains an executable file wendynaked.jpg.exe

Upon execution of infected attachment, the trojan copies itself as sysdeb32.exe in the Windows folder. The trojan also creates svc.sav file in the Windows folder and temp35.txt file in the root of C: drive, these files helps the trojan to complete its malicious activity.

The trojan modifies registry at the following location to load itself during each startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In order to steal the system information, the malacious file will be active in the memory and steals the following information:

POP3 Server
POP3 User Name
POP3 Password
NNTP Server
NNTP User Name
SMTP Server
SMTP Email Address
SMTP Organization Name

The stolen information is stored in temp35.txt created under the root of C: drive and it tries to send this information to a pre-configured remote server. It also has a backdoor component which opens TCP port 5555 to create an unauthorised access to the infected system.

This trojan first appeared on 25th November 2003.

Other names of W32/Sysbug.A.Trojan:

This Trojan is also known as Backdoor.Sysbug, TROJ_SYSBUG.A, BackDoor-CAG, Troj/Sysbug-A.

Click here to download a 30 day Evaluation Copy of
Protector Plus for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Sysbug trojan reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus Antivirus software