Alias:
Type:Worm 
Size:15,872 Bytes 
Origin:unknown 
Date:05-09-2004 
Damage:Uses LSASS security hole (Microsoft Security Bulletin MS04-011) 
VDF Version:6.25.00.60 
Danger:Low 
Distribution:High 

General DescriptionThe worm makes sure that only one version of itself is active, using a Mutex (SkynetNotice). It copies itself as %WinDIR%\lsass.exe and makes the following entry in Windows registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"lsasss.exe"="%WinDIR%\lsasss.exe"

The worm deletes the following registry entries:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"ssgrate.exe"

- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"drvsys.exe"

- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"Drvddll_exe"

The worm repeats this action every second of the first 2 hours. Then it displays the following message:
1. Your computer is affected by the MS04-011 security hole.
2. It is possible for computer viruses to infect your computer.
3. Please download the update from your computer. Use the patch MS04-011 from the internet site www.microsoft.com.
4. This is a message from SkyNet Team, to prevent malicious activities.

The file C:\ftplog.txt contains the IP addresses and the number of the infected computer.

Technical DetailsIt starts an FTP server over TCP Port 5554. This server is used for spreading the worm to other systems. It collects IP addresses from the infected systems and generates new IP addresses, similar to the ones it gathered.

It contacts on TCP Port 445 other systems, which did not have the LSASS security hole fixed. When connected, it sends to it a Shell Code to open the TCP Port 9996. After that, it will use TCP Port 5554 to send a copy of the worm to the clean computer. This copy has a name of 4 or 5 numbers, followed by _up.exe. For example: 74354_up.exe.
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .