Home / malware

PDF

Win32.Worm.Sasser.E

First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Sasser.E is also known as Win32.HLLW.Jobaka.5.

Explanation :

This is a modified version of Win32.Worm.Sasser.D

The name of the mutex used for checking its presence in memory has changed to SkynetNotice

It copies in the %windows% folder with the name lsasss.exe.

It adds the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunlsasss.exe
With value
%windows%lsasss.exe

It changed the value of the ports it is using as follows:

The ftp port was changed to 1023
The shell port was changed to 1022

It deletes the following registry keys; all the key are located in HKCUSoftwareMicrosoftWindowsCurrentVersionRun

1. ssgrate.exe
2. drvsys.exe
3. Drvddll_exe

After 2 hours it displays a message box with the following text:

1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website
4. This is an message from the SkyNet Team for malicious activity prevention

Last update 21 November 2011

 

TOP