My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Sasser.D

HIGH
LOW
16384
(WORM_SASSER.D, Win32.HLLW.Jobaka.D)

Symptoms

Presence of "skynetave.exe" and "%rand%_up.exe" in %windir% (e.g. C:\Windows) folder and in processes list.

Presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of the string "skynetave.exe" pointing to "%windir%\skynetave.exe".

Removal instructions:

Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for WindowsXP
* use End Process in Processes tab on skynetave.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\skynetave.exe registry key
* delete %windir%\skynetave.exe and %windir%\%rand%_up.exe

Automatic removal: let BitDefender disinfect infected files

Analyzed By

Mircea Ciubotariu BitDefender Virus Researcher

Technical Description:

It works pretty much the same as Win32.Worm.Sasser.{A-C} except the following:

* as already shown at symtoms it uses a different file name and string in start-up registry
* it attemps to import some functions which make its execution on Windows2000 impossible
* it creates two mutexes but only one is checked to avoid reinfection, namely SkynetSasserVersionWithPingFast
* has different port for the remote shell, namely 9995