[virusinfo] Trend Micro Medium Risk Virus Alert - WORM_SASSER.A

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Sat, 01 May 2004 19:10:02 -0700

From; Trend Micro Newsletters;

As of May 1, 2004  4:15 AM PST, TrendLabs has declared a Medium Risk Virus
Alert to control the spread of WORM_SASSER.A. 
TrendLabs has received several infection reports indicating that this
malware is spreading in the US.

This worm is known to exploit the Windows LSASS vulnerability, which is a
buffer overrun that allows remote code execution and enables an attacker to
gain full control of the affected system. This vulnerability is discussed
in detail in the following pages: 

=95
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DMS04-011_MI
CROSOFT_WINDOWS
=95 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

To propagate, it scans random IP addresses for vulnerable systems. When a
vulnerable system is found, the malware sends a specially crafted packet to
produce a buffer overflow on LSASS.EXE. 

The resulting overflow allows the malware to listen to TCP port 9996, which
instructs it to spawn a command shell. The malware then creates the script
file CMD.FTP that contains instructions for the vulnerable system to
download and execute a copy of this malware via FTP. 

The infected host then opens TCP port 5554 to accept any FTP requests from
infected remote systems. The worm copy to be downloaded bears the file
name, <random integer>_up.exe (e.g., 12345_up.exe), and is saved in the
Windows system directory. 

After download, the malware deletes the file CMD.FTP. A log file named
WIN.LOG is created in the root directory. This file contains the number of
remote systems that the host system were able to infect. 


TrendLabs will be releasing the following EPS deliverables:

   TMCM Outbreak Prevention Policy 110 (released)
   Official Pattern Release 879 (released)
   Damage Cleanup Template 331 (ETA 1 hour)
   Vulnerability Assessment Rule 10 (released)
   NVW Pattern 10124 (ETA 1 hour)
  

For more information on WORM_SASSER.A, you can visit our Web site at:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_SASSER
.A.

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Trend Micro Medium Risk Virus Alert - WORM_SASSER.A

1. Home
2. virusinfo
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---