[Dshield] strange trojan dropper--anyone seen this?

tank@tankweb.net tank at tankweb.net
Thu Jun 24 17:00:55 GMT 2004

That is a symptom of the sasser worm.

Sasser Worm opens security ports on the infected computer which makes it
vulnerable to hackers who can use these open ports to implant Spyware and
Trojan Programs, hence stealing your personal information.

Symptoms of Sasser Infection: 
Unexpected system shutdowns (mostly on Windows 2000 and Windows XP) 
Unexpected heavy traffic which slows down Internet connection 
An error message about LSA Shell or lsass.exe. 

Original Message:
From: Rudy Wesson spongerudy at yahoo.com
Date: Thu, 24 Jun 2004 06:39:01 -0700 (PDT)
To: list at lists.dshield.org
Subject: [Dshield] strange trojan dropper--anyone seen this?

This has popped up in a few places in our university network and I'm
wondering if anyone's seen anyone similar...
What I'm seeing is a little piece of malware which goes out to apparently
hardcoded IP addresses, giving the remote user a command shell.  It seems
to have been put into place by a dropper of some kind, apparently a
trojanized version of a legitimate win32 app.   Can't tell what triggers
the malware to attempt to make the connection...I don't think it's any
outside stimulus (so this is different from most backdoors where the
attacker has to scan for the trojan listening on a certain port).
The dropper in this case was apparently a trojanized versino of lsass.exe
and I have seen it infecting a box in at least one case by exploiting an MS
Outlook activex vuln.
This thing doesn't seem to be propagating by itself so I wonder if we're
being targeted for something deliberately...has anyone seen ANYTHING like

Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
list mailing list
list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

mail2web - Check your email from the web at
http://mail2web.com/ .

More information about the list mailing list