Focus on Virus
Back to list
RE: Possible New Sasser Variant
Mar 24 2005 12:43AM
Jefferies, Darren (Darren Jefferies health wa gov au)
Hi Syklops, this sounds exactly like a virus that hit my home PC last year. It has an executable (VB app) which sets the policies in XP to disallow running Regedit and Task Manager, closes programs at random and disables shutdown. The files used by this are: LSASSS.exe and M00.exe. It uses (off memory) the "Run" section of the registry to spawn aswell as the "Shell/Open/Command" section to run itself every time an exe file is opened. It also does some damage to the registry preventing control panel from working. The work around for this was to run the .CPL files directly. I never managed to fix this problem though and ended up doing a rebuild.
Do NOT delete these files. If you do, the PC won't run any ".EXE" files. Remove the regisrty autostart entries first, then delete the files. It also pays to have MMC.exe (policy editor) and Regedit on the desktop, renamed to .COM to protect yourself.
Trend antivirus (the one I use) could not identify it, even when I used their online scan, the files came up as clean. I copied them to disk and put the disk in my girlfriends PC to see what Symantec virus scanner thought and it identified it as a "Bloodhound.Packed" virus. Naturally, I submitted the virus to Trend and they took no action. I submitted it to them again and they still took no further action. Even several months later, I used their online scanner to check the files and it still showed them as clean. At that point, I decided not to waste my time and data with trends software.
Like you, I searched the net for anything even remotely like this and found nothing.
Anyway, enough rambling, if you need any more information on this virus, please let me know.
From: Syklops [mailto:syklops (at) duicon (dot) com [email concealed]]
Sent: Thursday, 24 March 2005 3:33 AM
To: focus-virus (at) securityfocus (dot) com [email concealed]
Subject: Possible New Sasser Variant
I work in Technical support for BT Yahoo Broadband and had a call from a =
guy who appeared to have the sasser, the system was shutting down when =
trying to access websites, and I attempted to fix the problem using =
CTRL+ALT+DEL and kill the lsasss process, however, when I do that, Task =
Manager does not appear. I get an egg-timer for about a second and it =
disappears. A quick google did not find me mention of a variant of =
sasser which killer Task Manager.=20
Have I found a new variant, or is this already known?
[ reply ]
Copyright 2010, SecurityFocus