Aliases: TROJ_SABUREX.A, W32/Malware.BMRQ, W32/Saburex.A.DLL, W32/Saburex.dll, Win32:Saburex
Variants: Virus.Win32.Saburex.a, Virus:Win32/Saburex.A, W32/Saburex, W32/Saburex-A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 05 May 2007
Damage: Medium

Characteristics: The W32/Saburax.A application is a virus that infects executable files. It affects Windows Operating System platforms such as Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, and Windows 2000.

More details about W32.Saburax.A

The main distribution channel used by the W32.Saburax.A application is the Internet Relay Chat (IRC) network. The remote hacker may take control of the computer by sending commands via the IRC channels. The remote commands may include downloading files, terminating running processes, disabling installed security tools and deleting of stored files. The core components of the application are installed on the System folder. It installs the ole16.dll and shell32.dll files. The same files are transmitted to the shared folders on the network. It will then create registry entries and partially repair the originally infected file and execute it. Next, the virus looks for files with .exe file extensions on the compromised computer and infects them. It avoids infecting files in folders where in contains strings such as win, music, _restore, documents and program file.

Apparently, the W32.Saburax.A application has been specially programmed for facilitating a backdoor access to remote hackers. When the computer system of a user contracts this type of malware, the program could open either a TCP port or an IRC in stealth. What follows is the disabling of the application Windows Firewall. A message which contains the computer’s IP address is then sent to the remote attacker who accesses the computer by means of the opened port. The hacker’s access to the compromised system’s files and data purportedly ranges from fair to complete.