Win32.Worm.Sasser.D

( WORM_SASSER.D, Win32.HLLW.Jobaka.D )

SYMPTOMS:

Presence of \"skynetave.exe\" and \"%rand%_up.exe\" in %windir% (e.g. C:\\Windows) folder and in processes list.

Presence in start-up registry key \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" of the string \"skynetave.exe\" pointing to \"%windir%\\skynetave.exe\".

TECHNICAL DESCRIPTION:

It works pretty much the same as Win32.Worm.Sasser.{A-C} except the following:

* as already shown at symtoms it uses a different file name and string in start-up registry
* it attemps to import some functions which make its execution on Windows2000 impossible
* it creates two mutexes but only one is checked to avoid reinfection, namely SkynetSasserVersionWithPingFast
* has different port for the remote shell, namely 9995

Removal instructions:

Manual removal:
* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for WindowsXP
* use End Process in Processes tab on skynetave.exe
* open Registry Editor typing [WIN]+[R]regedit[ENTER]
* remove the HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\skynetave.exe registry key
* delete %windir%\\skynetave.exe and %windir%\\%rand%_up.exe

Automatic removal: let BitDefender disinfect infected files

ANALYZED BY:

Mircea Ciubotariu BitDefender Virus Researcher