Sunday, August 2, 2009

And more malware - lsass.exe

Turns out the previous post wasn't the last of it. An AV message popped up alerting me to a buffer overflow on the heap triggered by C:\windows\cursors\lsass.exe (what is a regular user supposed to do about that?). There may have been some level of rootkitting because I couldn't see the file on the commandline or with windows explorer - booting a linux live CD fixed that problem. This is a location that has been associated with sasser, and this *may* have been a variant, but not a single AV picked it up at virus total. It was using this key to persist:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe C:\\WINDOWS\\Cursors\\lsass.exe"

Sent to McAfee again, and a different Bangalore monkey produced another signature! Win.

No comments: