Everyone,
We are having fits
with a new? virus or vulnerability. The simptoms are as follows: an
executable saatg.exe "appears" in the startup folder of the All Users group and
after a reboot launches itself. It adds a registry entry under
HKEY_LOCAL_MACHINE/Software/Microsoft/CurrentVersion/Run. The executable
shows under processes and seems to also launch additional processes, e.g.
~1.exe, ~2.exe, ~3.exe, etc. I can not link any malicious activity to this
behavior, but it seems to be spreading like wildfire on our network, apparantely
with absolutely no user activity. In testing I have do thus far it finds
its was on to a _virgin_ system that has been installed disconnected from the
network with CD media including all relevent security patches. Panda
anti-virus does not seem to detect it either. It shows up on systems where
there is no interactive login, e.g. servers, regular users, and users with
elevated privelages. Additionally once the executable is active is
systematically searches for other systems to share the good news with on port
TCP 135. I am aware of the recent vulnerabilities from Microsoft regarding
RPC and netbios, but again, the recommended security fixes do not seem to
provide any relief. Does anyone have any insight into what this thing
is? TIA
Dan
Lockwood