Threat Encyclopedia



  • Trojan is 32bit with a compressed file size of 35,068 bytes
  • The Trojan was coded using Visual Basic 6
  • If the Trojan is run, a dialogue box may be displayed with the following content -


  • The Trojan will copy itself to the undefinedWindowsundefined\System32 folder as "csfix.exe" and then modify the registry to load at next Windows startup as in this example -

    microsoft = c:\WINNT\SYSTEM32\csfix.exe

  • The Trojan will attempt to communicate with a website and send a page notification message to an ICQ chat client ID as seen in the following example message -


  • The message above is posted using TCP port 80 to the web address ( - a server hosted by Mirabilis which can be used to send ICQ page messages - the message serves as a notification that the affected IP is infected by the Trojan

  • The Trojan will open TCP port 2003 and await instructions from a hacker or group of hackers

  • The Trojan contains the string "BBSatanus" in its code

Recommended Action

  • Block internal to external traffic (INT -> EXT) with source TCP port 2003
  • Block external to internal traffic (EXT -> INT) with destination TCP port 2003