Cart
Win32.Worm.Sasser.D( WORM_SASSER.D, Win32.HLLW.Jobaka.D )
SYMPTOMS: Presence of "skynetave.exe" and "%rand%_up.exe" in %windir% (e.g. C:\Windows) folder and in processes list.Presence in start-up registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" of the string "skynetave.exe" pointing to "%windir%\skynetave.exe". TECHNICAL DESCRIPTION: It works pretty much the same as Win32.Worm.Sasser.{A-C} except the following:* as already shown at symtoms it uses a different file name and string in start-up registry * it attemps to import some functions which make its execution on Windows2000 impossible * it creates two mutexes but only one is checked to avoid reinfection, namely SkynetSasserVersionWithPingFast * has different port for the remote shell, namely 9995 Removal instructions: Manual removal:* open Task Manager by pressing [CTR]+[ALT]+[DEL] or [CTRL]+[SHIFT]+[ESCAPE] for WindowsXP * use End Process in Processes tab on skynetave.exe * open Registry Editor typing [WIN]+[R]regedit[ENTER] * remove the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\skynetave.exe registry key * delete %windir%\skynetave.exe and %windir%\%rand%_up.exe Automatic removal: let BitDefender disinfect infected files ANALYZED BY: Mircea Ciubotariu BitDefender Virus Researcher |