My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Sasser.E

MEDIUM
MEDIUM
15872
(Win32.HLLW.Jobaka.5)

Symptoms

- Presence of the following files:
%windows%\lsasss.exe
c:\ftplog.txt

- Presence of the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe
with value
%windows%\lsasss.exe

where %windows% is the windows folder. Usually it is C:\windows\
The display of a message box described in the technical description

Removal instructions:

Let BitDefender delete all files found infected by this worm.

Analyzed By

Sorin Victor Dudea BitDefender AntiVirus Researcher

Technical Description:

This is a modified version of Win32.Worm.Sasser.D

The name of the mutex used for checking its presence in memory has changed to SkynetNotice

It copies in the %windows% folder with the name lsasss.exe.

It adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\lsasss.exe
With value
%windows%\lsasss.exe


It changed the value of the ports it is using as follows:

The ftp port was changed to 1023
The shell port was changed to 1022

It deletes the following registry keys; all the key are located in \HKCU\Software\Microsoft\Windows\CurrentVersion\Run

1. ssgrate.exe
2. drvsys.exe
3. Drvddll_exe



After 2 hours it displays a message box with the following text:

1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website
4. This is an message from the SkyNet Team for malicious activity prevention