Home / malware Win32.Worm.Sasser.E
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Sasser.E is also known as Win32.HLLW.Jobaka.5.
Explanation :
This is a modified version of Win32.Worm.Sasser.D
The name of the mutex used for checking its presence in memory has changed to SkynetNotice
It copies in the %windows% folder with the name lsasss.exe.
It adds the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunlsasss.exe
With value
%windows%lsasss.exe
It changed the value of the ports it is using as follows:
The ftp port was changed to 1023
The shell port was changed to 1022
It deletes the following registry keys; all the key are located in HKCUSoftwareMicrosoftWindowsCurrentVersionRun
1. ssgrate.exe
2. drvsys.exe
3. Drvddll_exe
After 2 hours it displays a message box with the following text:
1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website
4. This is an message from the SkyNet Team for malicious activity preventionLast update 21 November 2011
