buffer overflow traffic on 445. sasser and kroger look alike.
Creates a sndsys.exe file in c:\winnt\system32.
So far seems to only infect windows 2000 but unconfirmed.
Creates a registry entry in run for "windows sound system" c:\winnt\system32\sndsys.exe
Sndsys opens lots of ports apparently randomly starting around 1025 up into the 3000's.
Can't find any info on sndsys.exe anywhere. I'd bet it is a nifty little varient of sasser, sdbot, kroger etc.
McAfee Virus Scan 8.0i Enterprise with 4320/4416 does not detect it. We only started catching it with buffer overflow protection alerts. Saw it while sniffing traffic.
Symantec, Fprot, CA, NAI, none of them have anything yet that I could find with my limited human searching capabilities. Maybe some of you andriod atot folks can find something.
I submited a sample to avert webimmune. They are inconclusive and are forwarding to a researcher.
No info on payload etc.
REMOVAL is simple enough.
In registry find HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Delete: "Windows Sound System" REG_SZ "c:\winnt\system32\sndsys.exe"
Open task manager and end the process for sndsys.exe. Might have to use kill -f.
Browse to c:\winnt\system32 and delete the sndsys.exe file.
Rinse and Repeat on other infected machines.
Keep an eye out..
Creates a sndsys.exe file in c:\winnt\system32.
So far seems to only infect windows 2000 but unconfirmed.
Creates a registry entry in run for "windows sound system" c:\winnt\system32\sndsys.exe
Sndsys opens lots of ports apparently randomly starting around 1025 up into the 3000's.
Can't find any info on sndsys.exe anywhere. I'd bet it is a nifty little varient of sasser, sdbot, kroger etc.
McAfee Virus Scan 8.0i Enterprise with 4320/4416 does not detect it. We only started catching it with buffer overflow protection alerts. Saw it while sniffing traffic.
Symantec, Fprot, CA, NAI, none of them have anything yet that I could find with my limited human searching capabilities. Maybe some of you andriod atot folks can find something.
I submited a sample to avert webimmune. They are inconclusive and are forwarding to a researcher.
No info on payload etc.
REMOVAL is simple enough.
In registry find HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Delete: "Windows Sound System" REG_SZ "c:\winnt\system32\sndsys.exe"
Open task manager and end the process for sndsys.exe. Might have to use kill -f.
Browse to c:\winnt\system32 and delete the sndsys.exe file.
Rinse and Repeat on other infected machines.
Keep an eye out..
Facebook
Twitter