From; Trend Micro Newsletters; As of May 1, 2004 4:15 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SASSER.A. TrendLabs has received several infection reports indicating that this malware is spreading in the US. This worm is known to exploit the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages: =95 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DMS04-011_MI CROSOFT_WINDOWS =95 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx To propagate, it scans random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE. The resulting overflow allows the malware to listen to TCP port 9996, which instructs it to spawn a command shell. The malware then creates the script file CMD.FTP that contains instructions for the vulnerable system to download and execute a copy of this malware via FTP. The infected host then opens TCP port 5554 to accept any FTP requests from infected remote systems. The worm copy to be downloaded bears the file name, <random integer>_up.exe (e.g., 12345_up.exe), and is saved in the Windows system directory. After download, the malware deletes the file CMD.FTP. A log file named WIN.LOG is created in the root directory. This file contains the number of remote systems that the host system were able to infect. TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy 110 (released) Official Pattern Release 879 (released) Damage Cleanup Template 331 (ETA 1 hour) Vulnerability Assessment Rule 10 (released) NVW Pattern 10124 (ETA 1 hour) For more information on WORM_SASSER.A, you can visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_SASSER .A. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> A Technical Support Alliance and OWTA Charter Member