Srizbi Bot: How To Remove It From Your PC

The Srizbi botnet has managed to spread massive amounts of spam undetected, with the help of it's partner in crime the Srizbi Trojan. This variant of the Srizbi Trojan, similarly named the Troj/RKAgen-A and Rootkit:W32/Agent.EA, is known for sending spammed emails, with the use of rootkits to conceal itself  and its activities. There are many similarities between the polymorphic code used in Trojan.Srizbi and the Backdoor.Rustock.B packer. Srizbi usually starts out in the form of a .exe file, once the program is run it automatically installs and activates a .sys kernel driver. At this point  the infection is complete and the .exe is no longer required.

How does the Srizbi.Trojan executes itself?

• It creates the files windbg48.sys, [RANDOM NAME].sys in the Windows System folder.
• Then it installs the hidden registry subkey- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windbg48, this allows for the rootkit driver to run as a service when the infected computer is started up.
• The trojan then uses the batch file _uninsep.bat in the Temp location to delete itself.
• Once that is done the trojan hides its registry keys by hooking the following kernel functions:
  ZwOpenKey
  ZwEnumerateKey
• The kernel routine of NTFS filesystem driver is also hooked in order to hide its files:
  \FileSystem\Ntfs\IRP_MJ_CREATE
  \FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL

By Patching the TCP/IP network drivers the trojan is able to bypass firewalls, network sniffer tools and IDS systems. The trojan then attempts to connect to numerous servers to download configuration files for sending spam messages. Lastly it deletes all competing rookits present of the infected computer.

Ever found yourself staring at a message on your PC similar to this?

ATTENTION: This IP is infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating in a botnet. This is the Srizbi BOT. You need to patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.
If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers.

Not really a message you want to see right. Did you then do all the necessary patches? Scan your PC's with all the on-line scanners that claim to get rid of it? Still no sign of Srizbi? Typical, we must remember that Srizbi specializes in concealing itself. Although there is the option of you removing the Srizbi trojan manually. By removing the Srizbi trojan you obliterate any control the bot herder has over your PC.

You must note that manual removal may be difficult to perform for some computer users. If you are not familiar with editing your systems registry then it is not advised for you to do manual as you may very well damage your system rendering it unusable.

Find and delete the following registry entries (regedit):

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RcpApi\"MachineNum"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\windbg48

Block the following URLs:

• www.swinmaster.com
• www.ebobuilt.com
• bu.srizhopa.biz
• www.konskyvolos.com
• www.zaibek.com
• 208.72.169.22
• 208.72.168.143
• 208.72.168.250
• abr.srizhopa.biz

Find and delete the following files:

• %systemdir%\windbg48.sys
• %profiledir%\scchost.exe
• \scchost.exe

After performing the above functions you may restart your system. If you notice that the Srizbi Trojan is still present on your system, well then it's back to the drawing board for you! It is recommended though, that you install a reputable spyware removal tool to safely remove Srizbi Trojan, there are so many out there you just have to find the right one.