Skip navigation.

Uploaded Tigger aka Syzor.A


sum: 33bd2244e60276501d876f0ccd9479f3

This is a very sophisticated piece of malware:
- uses a privilege escalation vulnerability
- It disables Windows Defender, Windows Firewall, Outpost, Avira, Kaspersky, AVG, and CA products
- It installs a rootkit that runs in safe mode
- it disables kernel debuggers
- Keylogger functionality: logs keystrokes, collects system information, takes screen shots, hooks COM for spying on browser events, and exports passwords, it steals web cookies and certificates
- it puts the NIC in promiscuous mode to sniff FTP and POP3 passwords.

And so far, nobody is exactly sure how it's being distributed.
So, we malware-analysis-experts, we have work to do!

How is this trojan distributed?

sum: 33bd2244e60276501d876f0ccd9479f3

Chato Flores

Every instance I have here

Every instance I have here was dropped via one of 2 groups using custom distribution packages.

TIBs Distro and IframeDollars/Drkgt Distro

There is probably a thousand different names for these but anyone tracking malwares knows who these groups are.

Thanks for the sample.

Thanks for the sample.

Can you please upload the Syzor variant which hides files, hook KdSendPacket etc,.. This uploaded sample doesnt disable WinDBG and allow to cut/delete the dropped sys driver.

EDIT: in fact it isnt crypted. The hook code destroy the file content if normally copying the driver.