Sysbug.A steals an infected computer's system configuration information

26 November 2003

Sysbug.A is a backdoor Trojan that steals information about the infected computer's system configuration. Sysbug opens up a port on the infected computer allowing the possibility of external unauthorized access.

The Sysbug.A Trojan can also download and activate executable files on an infected computer. This Trojan does not, however, self-replicate. It has, until now, spread through spamming and will in all likelihood not spread further without being re-spammed. Users should, however, be aware of the security risks involved in opening these attachments.

This Trojan affects Windows 95 / 98 / 2000 / Me / NT / XP.

The e-mail carrying the Sysbug.A Trojan has the following characteristics:


From: james2003@hotmail.com
Subject: Re[2]: Mary

Hello my dear Mary,

I have been thinking about you all night. I would like to
apologize for the other night when we made beautiful love and did
not use condoms. I know this was a mistake and I beg you to
forgive me.

I miss you more than anything, please call me Mary, I need you.
Do you remember when we were having wild sex in my house? I
remember it all like it was only yesterday. You said that the
pictures would not come out good, but you were very wrong, they
are great. I didn't want to show you the pictures at first, but
now I think it's time for you to see them. Please look in the
attachment and you will see what I mean.

I love you with all my heart, James.

Attachment: Private.zip



The Zip archive attachment contains the file 'wendynaked.jpg.exe', this is the Trojan's executable.

When executed the Trojan installs itself on the infected computer and creates a startup key in the registry so as to ensure that it always starts up with Windows. Sysbug steals the following information from the infected computer and uploads it to a website:

     IP address
     unique ID
     connection speed
     active time
     SMTP Account Name
     POP3 Password
     POP3 Server
     POP3 User Name
     NNTP Server
     NNTP User Name
     SMTP Server
     SMTP Display Name
     SMTP Email Address
     SMTP Organization Name
     RAS information
     Edialer information

Recommended Reactions

Users are advised to update their virus signature files and make sure they have the latest versions of F-Prot Antivirus installed on their computers.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

Threat Detection

The latest versions of F-Prot Antivirus detect Sysbug.A using virus signature files dated 26 November 2003 or later.

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

2014 © CYREN · Privacy Statement