| Visit ThreatExpert web site | | | Close Report |
[Symantec] [Kaspersky Lab] [McAfee] [Trend Micro] [Sophos] [Microsoft] [Ikarus] [AhnLab]| What's been found | Severity Level |
| A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks. |  |
| MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots). | |
| Communication with a remote IRC server. |  |
| Contains characteristics of an identified security risk. | |
 | Possible Security Risk |
| Threat Category | Description |
 |
A network-aware worm that attempts to replicate across the existing network(s) |
 |
A virus capable to modify other files by infecting, prepending, or overwriting them them with its own body |
 |
A malicious backdoor trojan that runs in the background and allows remote access to the compromised system |
 | File System Modifications |
| # | Filename(s) | File Size | File Hash | Alias |
| 1 |
%System%\csrsc.exe
|
141,312 bytes | MD5: 0xA7E89A6572F34896BFDDD9FB9BC257D2 SHA-1: 0x3A5C281F8F589DAA78264FDDACA2045CE3E37412 |
Backdoor.Sdbot [Symantec] Virus.Win32.Virut.av [Kaspersky Lab]W32/Virut.gen.a [McAfee]PE_VIRUT.AV [Trend Micro]W32/Virut-W [Sophos]Worm:Win32/Neeris.AN [Microsoft]Worm.Win32.Neeris [Ikarus]Win32/Virut.B [AhnLab] |
 | Memory Modifications |
| Process Name | Process Filename | Main Module Size |
| csrsc.exe | %System%\csrsc.exe | 667,648 bytes |
| [filename of the sample #1] | [file and pathname of the sample #1] | 667,648 bytes |
| [generic host process] | [generic host process filename] | 45,056 bytes |
| Service Name | Display Name | Status | Service Filename |
| WinSpoolSvc | Windows Spool Services | "Stopped" | "%System%\csrsc.exe" |
| Service Name | Display Name | New Status | Service Filename |
| ImapiService | IMAPI CD-Burning COM Service | "Running" | %System%\imapi.exe |
 | Registry Modifications |
 | Other details |
| Remote Host | Port Number |
| 127.0.0.2 | 445 |
| 127.0.0.3 | 445 |
| 127.0.0.4 | 445 |
| 127.0.0.5 | 445 |
| 127.0.0.6 | 445 |
| 127.0.0.7 | 445 |
| 127.0.0.8 | 445 |
| 127.0.0.9 | 445 |
| 127.0.0.10 | 445 |
| 127.0.0.11 | 445 |
All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.
The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.
Copyright © 2013 ThreatExpert. All rights reserved.