[windows_errors] [What_Error_Messages_Really_Mean_WIN_98] All Members.....SASSER WORM ALERT.....(please read)
- From: "radar" <radar0509@xxxxxxxxx>
- To: What_Error_Messages_Really_Mean_WIN_98@xxxxxxxxxxxxxxx
- Date: Mon, 03 May 2004 12:56:48 -0000
"THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.
Radar Alert LEVEL 2
NAME: Sasser
ALIAS: Sasser.A, Worm.Win32.Sasser.a
SIZE: 15872
Summary
Note: New variant (Sasser.B) using a filename AVSERVE2.EXE has been found.
See http://www.f-secure.com/v-descs/sasser_b.shtml
Sasser is an Internet worm spreading through the MS04-011 (LSASS)
vulnerability.
This vulnerability is caused by a buffer overrun in the Local Security
Authority Subsystem Service, and will affect all machines that are:
- Running Windows XP or Windows 2000
- Haven't been patched against this vulnerability
- Are connected to the Internet without a firewall
See the Microsoft Bulletin for more info on the vulnerability, and run
Windows Update to patch your systems now.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Sign of infection is the existence of a file named 'C:\win.log' and
frequent crashes of 'LSASS.EXE'.
Sasser generates traffic on TCP ports 445, 5554 and 9996.
Disinfection
F-Secure has developed a special disinfection tool which can find and
remove Sasser.A, B and C infections.
The tool is available from the following locations:
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt
or through HTTP:
http://www.f-secure.com/tools/f-sasser.zip
http://www.f-secure.com/tools/f-sasser.exe
http://www.f-secure.com/tools/f-sasser.txt
Before using the tool please read the disinfection instructions from
'f-sasser.txt'.
Manual Disinfection
To manually disinfect an infected system, first apply the Microsoft
patch MS04-011, then use Task Manager to kill the "avserve.exe"
process, then delete the file AVSERVE.EXE from your Windows directory
and reboot.
For step-by-step instructions, see Microsoft's site:
http://www.microsoft.com/security/incident/sasser.asp#steps
Back to the Top
Detailed Description
Sasser was written in Visual C++ and it spreads in a single executable
which is packed and protected with several envelopes.
System Infection
When the worm enters the system it creates a copy of itself in the
Windows Directory as 'avserve.exe'. This copy is added to the Registry as
[SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avserve.exe" = "%WinDir%\avserve.exe"
To ensure that only one copy of the worm is running it creates a mutex
named 'Jobaka3l'.
Network Propagation
Sasser exploits the the MS04-011 (LSASS) vulnerability to gain access
the remote systems. The worm starts 128 scanning threads that try to
find vulnerable systems on random IP addresses. Computers are probed
on port 445 which is the default port for Windows SMB communication on
NT-based systems.
The probing might crash unpatched computers.
Under Windows 2000, users can see a Windows error message like this:
Under Windows XP, users can see a Windows error message saying:
LSA Shell (Export Version) has encountered a problem
and needs to close. We are sorry for the inconvenience.
When attacking the worm first determines the version of the remote
operating system then uses the appropriate parameters to attack the host.
Different parameters are used for
- Windows XP (universal exploit)
- Windows 2000 (universal exploit)
- Windows 2000 Advanced Server (SP4 exploit)
Other operating systems, such as Windows Me and NT are not infected by
this worm.
If the attack is successful a shell is started on port 9996. Through
the shell port Sasser instructs the remote computer to download and
execute the worm from the attacker computer using FTP. The FTP server
listens on port 5554 on all infected computers with the purpose of
serving out the worm for other hosts that are being infected.
Transactions through the FTP server are logged to 'C:\win.log'.
Summary of TCP ports used by the worm:
445/TCP: - The worm attacks through this port
5554/TCP: - FTP server on infected systems
9996/TCP: - Remote shell opened by the exploit on the vulnerable hosts
The Vulnerability
This vulnerability is caused by a buffer overrun in the Local Security
Authority Subsystem Service of Windows NT-based systems.
Detailed information on the vulnerability and the available fixes are at
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Detection
Detection in F-Secure Anti-Virus was published on May 1st, 2004 in update:
[FSAV_Database_Version]
Version=2004-05-01_01
Technical Details: Gergely Erdelyi, May 1st, 2004
F-Secure Corporation, May 1st, 2004
(Radar) Co-Owner/Group Moderator
------------------------ Yahoo! Groups Sponsor ---------------------~-->
Buy Ink Cartridges or Refill Kits for your HP, Epson, Canon or Lexmark
Printer at MyInks.com. Free s/h on orders $50 or more to the US & Canada.
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/mOAaAA/3exGAA/qnsNAA/67folB/TM
---------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/What_Error_Messages_Really_Mean_WIN_98/
<*> To unsubscribe from this group, send an email to:
What_Error_Messages_Really_Mean_WIN_98-unsubscribe@xxxxxxxxxxxxxxx
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
Other related posts:
- » [windows_errors] [What_Error_Messages_Really_Mean_WIN_98] All Members.....SASSER WORM ALERT.....(please read)
