SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Sasser.E

MEDIUM
MEDIUM
15872
(Win32.HLLW.Jobaka.5)

Symptoms

- Presence of the following files:
%windows%\lsasss.exe
c:\ftplog.txt
- Presence of the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe
with value
%windows%\lsasss.exe

where %windows% is the windows folder. Usually it is C:\windows\
The display of a message box described in the technical description

Removal instructions:

Let BitDefender delete all files found infected by this worm.

Analyzed By

Sorin Victor Dudea BitDefender AntiVirus Researcher

Technical Description:

This is a modified version of Win32.Worm.Sasser.D

The name of the mutex used for checking its presence in memory has changed to SkynetNotice

It copies in the %windows% folder with the name lsasss.exe.

It adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe
With value
%windows%\lsasss.exe


It changed the value of the ports it is using as follows:

The ftp port was changed to 1023
The shell port was changed to 1022

It deletes the following registry keys; all the key are located in \HKCU\Software\Microsoft\Windows\CurrentVersion\Run

1. ssgrate.exe
2. drvsys.exe
3. Drvddll_exe


After 2 hours it displays a message box with the following text:

1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website
4. This is an message from the SkyNet Team for malicious activity prevention
Antivirus Software For Home Users
Business Security Solutions
Latest News
Tools & Resources