From; Sophos Alert System: Name: W32/Sasser-F Type: Win32 worm Date: 11 May 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Sasser-F can be found at: http://www.sophos.com/virusinfo/analyses/w32sasserf.html Description W32/Sasser-F is a network worm which spreads by exploiting a Microsoft LSASS vulnerability. The worm copies itself to the Windows folder as NAPATCH.EXE and sets the following registry entry to auto-start on user logon: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ nvpatch = napatch.exe W32/Sasser-F attempts to connect to random IP addresses on ports TCP/445 and TCP/9996 and then exploit the LSASS vulnerability. If successful an FTP script is uploaded to and executed on the remote computer which then connects back on port 5554 to download a copy of the worm via FTP. W32/Sasser-F may cause the program LSASS.EXE to terminate which generally prompts Windows to shutdown and reboot. However W32/Sasser-F attempts to prevent a system shutdown. Recovery Please follow the instructions for removing worms. This IDE file also includes detection for: W32/Agobot-KH http://www.sophos.com/virusinfo/analyses/w32agobotkh.html Troj/Delf-IZ http://www.sophos.com/virusinfo/analyses/trojdelfiz.html Troj/Agent-U http://www.sophos.com/virusinfo/analyses/trojagentu.html W32/Agobot-HU http://www.sophos.com/virusinfo/analyses/w32agobothu.html Troj/StartPa-CW http://www.sophos.com/virusinfo/analyses/trojstartpacw.html W32/Rbot-H http://www.sophos.com/virusinfo/analyses/w32rboth.html WM97/Thus-Z http://www.sophos.com/virusinfo/analyses/wm97thusz.html Troj/Notboot-A http://www.sophos.com/virusinfo/analyses/trojnotboota.html W32/Agobot-ZA http://www.sophos.com/virusinfo/analyses/w32agobotza.html Download the IDE file from: http://www.sophos.com/downloads/ide/sasser-f.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member
