Zasil.B trojan downloader appeared on 25th of June 2003. The following email message was sent to a large amount of people:
Subject:
IMPORTANT!! Critical security hole in Windows!
Body:
Dear Windows User! New Windows 9x/2000/NT/XP critical patch has been released. Due to security problems, your system needs to be updated as earlier as possible. You can download an update patch on Windows Update site: http://www.windows-update.com Best regards, Windows Update Group
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When a recipient clicks on the provided link, his browser connects to the fake windows update site, downloads and activates a file named UPDATE0932.EXE. That file is a downloader called Zasil.B. The downloader connects to another website and fetches the RQ.TXT file. This plain text file contains a link to another executable file. According to reports the RQ.TXT file originally contained a link to WINPWR32.EXE file which is an installation package with a lot of hacker tools and IRC trojans inside. But after some time the contents of RQ.TXT file were changed. At the moment of writing of this description the file contains a link to SVSGHOST.EXE file which is an IRC backdoor (hacker's remote access tool).
Zasil browses the contents of RQ.TXT file, downloads and activates the backdoor file mentioned there. As a result a user's computer becomes infected.
F-Secure Anti-Virus detects the backdoor generically as 'Backdoor.SdBot.gen' with the latest updates. Detection for Zasil.B downloader will be added shortly.