N
null
This link describes one fairly well known file name confusion:
http://www.softwarepatch.com/tips/isass.html
There is a new one associated with a malware which is not being
detected by many av scanners at the time of this post. The malware is
right now being dumped on newsgroups (zipped) with the file name
Christina_Aguilera.scr KAV alerts as backdoor.hackarmy.gen
Norman Virus Control (NVC) unravels the malware using it's sandbox
method. This reveals another name confusion. The installed malware
uses the the file name lsasss.exe Notice the three letters "s"
instead of two, and the capital "i" or perhaps the lower case "L".
The sandbox info suggests a means of removal since:
1. The Trojan creates the value "MPL32 Driver"="Isass.exe"
in registry key:
HKLM\Software\Microsoft\Windows\CurrenrVersion\Run
2. The file Isasss.exe is installed to c:\windows\system
3. It attempts to Open:
c:\windows\system\Iasss.exe qwerc:\sample.exe
4. It deletes c:\sample.exe
There is more info as well, such as:
it connects to port 6667 193.75.75.100
attempts to resolve "chit.badpenguin.net"
connects to IRC server
attempts to resolve name "0.0.0.0"
IRC nickname: jpfpfpf
IRC user name: jpfpfpf
Joins channel ##****ed with password open
creates a mutex ****ed
Art
http://www.epix.net/~artnpeg
http://www.softwarepatch.com/tips/isass.html
There is a new one associated with a malware which is not being
detected by many av scanners at the time of this post. The malware is
right now being dumped on newsgroups (zipped) with the file name
Christina_Aguilera.scr KAV alerts as backdoor.hackarmy.gen
Norman Virus Control (NVC) unravels the malware using it's sandbox
method. This reveals another name confusion. The installed malware
uses the the file name lsasss.exe Notice the three letters "s"
instead of two, and the capital "i" or perhaps the lower case "L".
The sandbox info suggests a means of removal since:
1. The Trojan creates the value "MPL32 Driver"="Isass.exe"
in registry key:
HKLM\Software\Microsoft\Windows\CurrenrVersion\Run
2. The file Isasss.exe is installed to c:\windows\system
3. It attempts to Open:
c:\windows\system\Iasss.exe qwerc:\sample.exe
4. It deletes c:\sample.exe
There is more info as well, such as:
it connects to port 6667 193.75.75.100
attempts to resolve "chit.badpenguin.net"
connects to IRC server
attempts to resolve name "0.0.0.0"
IRC nickname: jpfpfpf
IRC user name: jpfpfpf
Joins channel ##****ed with password open
creates a mutex ****ed
Art
http://www.epix.net/~artnpeg