Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Virus
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Possible New Sasser Variant

from [Jefferies, Darren] Network Security [Permanent Link]
Subject: RE: Possible New Sasser Variant
Date: Thu, 24 Mar 2005 08:43:37 +0800 
Hi Syklops, this sounds exactly like a virus that hit my home PC last year.  It 
has an executable (VB app) which sets the policies in XP to disallow running 
Regedit and Task Manager, closes programs at random and disables shutdown.  The 
files used by this are: LSASSS.exe and M00.exe.  It uses (off memory) the "Run" 
section of the registry to spawn aswell as the "Shell/Open/Command" section to 
run itself every time an exe file is opened.  It also does some damage to the 
registry preventing control panel from working.  The work around for this was 
to run the .CPL files directly.  I never managed to fix this problem though and 
ended up doing a rebuild.

Do NOT delete these files.  If you do, the PC won't run any ".EXE" files.  
Remove the regisrty autostart entries first, then delete the files.  It also 
pays to have MMC.exe (policy editor) and Regedit on the desktop, renamed to 
.COM to protect yourself.

Trend antivirus (the one I use) could not identify it, even when I used their 
online scan, the files came up as clean.  I copied them to disk and put the 
disk in my girlfriends PC to see what Symantec virus scanner thought and it 
identified it as a "Bloodhound.Packed" virus.  Naturally, I submitted the virus 
to Trend and they took no action.  I submitted it to them again and they still 
took no further action. Even several months later, I used their online scanner 
to check the files and it still showed them as clean.  At that point, I decided 
not to waste my time and data with trends software.

Like you, I searched the net for anything even remotely like this and found 
nothing. 

Anyway, enough rambling, if you need any more information on this virus, please 
let me know.

Darren Jefferies

-----Original Message-----
From: Syklops [mailto:syklops@duicon.com]
Sent: Thursday, 24 March 2005 3:33 AM
To: focus-virus@securityfocus.com
Subject: Possible New Sasser Variant


Hi Guys,

I work in Technical support for BT Yahoo Broadband and had a call from a =
guy who appeared to have the sasser, the system was shutting down when =
trying to access websites, and I attempted to fix the problem using =
CTRL+ALT+DEL and kill the lsasss process, however, when I do that, Task =
Manager does not appear. I get an egg-timer for about a second and it =
disappears. A quick google did not find me mention of a variant of =
sasser which killer Task Manager.=20

Have I found a new variant, or is this already known?

Cheers

-A-
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re:Possible New Sasser Variant, syklops
Next by Date:  Re: Possible New Sasser Variant, Nick FitzGerald
Previous by Thread:  RE: Possible New Sasser Variant, Gareth Smith
Next by Thread:  Re:Possible New Sasser Variant, syklops
Indexes:  [Date] [Thread] [Top] [All Lists]