MS04-011: Sasser.G - new minor variant, a concern only for unpatched systems

This minor variant is essentially designed to throw off antivirus scanners and it only affects systems that are not up to date on Microsoft Windows security patches, specifically the April 2004 MS04-011 update

MS04-011: Sasser.G - new minor variant
http://www.symantec.com/avcenter/venc/data/w32.sasser.g.html
http://secunia.com/virus_information/9991/sasser.g/

Latest Sasser Removal Tool includes "G"
http://securityresponse.symantec.com/avcen...moval.tool.html

W32.Sasser.G is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly selected IP addresses for vulnerable systems. The worm's function is identical to that of W32.Sasser.E.Worm, but W32.Sasser.G contains an extra PE file section, which is 1 byte in size and appears to have no function. W32.Sasser.G differs from W32.Sasser.Worm as follows:

* Uses a different mutex: SkynetNotice.
* Uses a different file name: lsasss.exe.
* Creates a different value in the registry: "lsasss.exe"
* Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
* After 2 hours of running it displays a message.
* It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
* The name of the file retrieved from the FTP server is followed by _update.exe.
* The worm logs data into the file C:\ftplog.txt.
* Has an updated routine for finding vulnerable computers. W32.Sasser.G sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.

W32.Sasser.G can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable computers.


The Mul