My Bitdefender
  • 0 Shopping Cart


Facebook Twitter Google Plus




- Presence of the following files:

- Presence of the following registry key:
with value

where %windows% is the windows folder. Usually it is C:\windows\
The display of a message box described in the technical description

Removal instructions:

Let BitDefender delete all files found infected by this worm.

Analyzed By

Sorin Victor Dudea BitDefender AntiVirus Researcher

Technical Description:

This is a modified version of Win32.Worm.Sasser.D

The name of the mutex used for checking its presence in memory has changed to SkynetNotice

It copies in the %windows% folder with the name lsasss.exe.

It adds the following registry key:
With value

It changed the value of the ports it is using as follows:

The ftp port was changed to 1023
The shell port was changed to 1022

It deletes the following registry keys; all the key are located in \HKCU\Software\Microsoft\Windows\CurrentVersion\Run

1. ssgrate.exe
2. drvsys.exe
3. Drvddll_exe

After 2 hours it displays a message box with the following text:

1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch from the website
4. This is an message from the SkyNet Team for malicious activity prevention