Win32.Worm.Sasser.E( Win32.HLLW.Jobaka.5 )
SYMPTOMS: - Presence of the following files:%windows%\lsasss.exe c:\ftplog.txt - Presence of the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe with value %windows%\lsasss.exe where %windows% is the windows folder. Usually it is C:\windows\ The display of a message box described in the technical description TECHNICAL DESCRIPTION: This is a modified version of Win32.Worm.Sasser.DThe name of the mutex used for checking its presence in memory has changed to SkynetNotice It copies in the %windows% folder with the name lsasss.exe. It adds the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe With value %windows%\lsasss.exe It changed the value of the ports it is using as follows: The ftp port was changed to 1023 The shell port was changed to 1022 It deletes the following registry keys; all the key are located in \HKCU\Software\Microsoft\Windows\CurrentVersion\Run 1. ssgrate.exe 2. drvsys.exe 3. Drvddll_exe After 2 hours it displays a message box with the following text: 1. Your computer is affected by the MS04-011 vulnerability 2. It can be that dangerous computer viruses similar the Blaster worm infect your computer 3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website 4. This is an message from the SkyNet Team for malicious activity prevention Removal instructions: Let BitDefender delete all files found infected by this worm.ANALYZED BY: Sorin Victor Dudea BitDefender AntiVirus Researcher |