Win32.Worm.Sasser.D
HIGH
LOW
16384
(WORM_SASSER.D, Win32.HLLW.Jobaka.D)
Symptoms
Presence of "skynetave.exe" and "%rand%_up.exe" in %windir% (e.g. C:\Windows) folder and in processes list.
Presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of the string "skynetave.exe" pointing to "%windir%\skynetave.exe".
Removal instructions:
Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for WindowsXP
* use End Process in Processes tab on skynetave.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\skynetave.exe registry key
* delete %windir%\skynetave.exe and %windir%\%rand%_up.exe
Automatic removal: let BitDefender disinfect infected files
Analyzed By
Mircea Ciubotariu BitDefender Virus Researcher
Technical Description:
It works pretty much the same as Win32.Worm.Sasser.{A-C} except the following:
* as already shown at symtoms it uses a different file name and string in start-up registry
* it attemps to import some functions which make its execution on Windows2000 impossible
* it creates two mutexes but only one is checked to avoid reinfection, namely SkynetSasserVersionWithPingFast
* has different port for the remote shell, namely 9995
SHARE
THIS ON