Content

W32/Rastax.worm

Type
Virus
SubType
Worm
Discovery Date
04/25/2008
Length
329,216 bytes
Minimum DAT
5283 (04/28/2008)
Updated DAT
5284 (04/29/2008)
Minimum Engine
5.1.00
Description Added
04/25/2008
Description Modified
04/25/2008 1:56 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

The virus copies itself to the Windows directory:

  • %WinDir%\system32\csoss.exe
  • %WinDir%\syste32\setup\lsass.exe
  • %WinDir%\system32\drivers\lsass.exe
  • %WinDir%\temp\lsass.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

and creates registry run keys to load itself at startup

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "AVastShip" = %WinDir%\system32\csoss.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "NortonUP" = %WinDir%\syste32\setup\lsass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "AVGUPDATE" = %WinDir%\temp\lsass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\winlogon "shell" = explorer.exe,%WinDir%\system32\drivers\lsass.exe

It propagates itself via copying itself to the root directory of all the drives(including removable drives and network mapped drives). The copied files have the following filenames:

  • Satlink.exe
  • Fotos Fernanda nua.exe
  • Videos Sexo.exe
  • Fotos Minhas.exe

 

Symptoms

  • presence of the files described above
  • presence of the registry keys described above

Method of Infection

The worm propagates via removable drives and network shared folders.

Removal

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release.

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

The virus copies itself to the Windows directory:

  • %WinDir%\system32\csoss.exe
  • %WinDir%\syste32\setup\lsass.exe
  • %WinDir%\system32\drivers\lsass.exe
  • %WinDir%\temp\lsass.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

and creates registry run keys to load itself at startup

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "AVastShip" = %WinDir%\system32\csoss.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "NortonUP" = %WinDir%\syste32\setup\lsass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "AVGUPDATE" = %WinDir%\temp\lsass.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
    CurrentVersion\winlogon "shell" = explorer.exe,%WinDir%\system32\drivers\lsass.exe

It propagates itself via copying itself to the root directory of all the drives(including removable drives and network mapped drives). The copied files have the following filenames:

  • Satlink.exe
  • Fotos Fernanda nua.exe
  • Videos Sexo.exe
  • Fotos Minhas.exe

 

Symptoms

Symptoms -

  • presence of the files described above
  • presence of the registry keys described above

Method of Infection

Method of Infection -

The worm propagates via removable drives and network shared folders.

Removal -

Removal -

Detection is included in our BETA DAT files and will also be included in the next scheduled DAT release.

Variants

Variants -

    N/A