BPsite Forums

BPSITE => Geek's Corner => Topic started by: GandalfTheOld on May 05, 2004, 03:21:18 AM



Title: Another virus outbreak
Post by: GandalfTheOld on May 05, 2004, 03:21:18 AM
Quote
Subject: VIRUS ADVISORY - W32/Sasser.worm.a & W32/Sasser.worm.b
Date: 2004/05/03 21:52

(((((((((((((((((((( McAfee Dispatch )))))))))))))))))))))))

[This message is brought to you as a subscriber to the
McAfee Dispatch. To unsubscribe, please follow the
instructions at the bottom of this email.]

------------------------------------------------------------
     ** VIRUS ADVISORY - W32/Sasser.worm **
------------------------------------------------------------

Dear vir,

Reminiscent of last summer's Lovsan/MS Blaster worm,
W32/Sasser.worm.a and W32/Sasser.worm.b are Medium Risk
Internet worms that exploit a vulnerability in the Microsoft
Windows operating system, especially 2000 and XP.

You do not need to click anything to become infected. Unlike
typical viruses that arrive inside email attachments, Sasser
worms and their variants attack vulnerable computers when
they connect to the Internet. Infected PCs will repeatedly
reboot and help spread the self-executing worms to other
computers.

------------------------------------------------------------
HOW TO PROTECT YOUR PC:

1. Update your anti-virus DAT file.
2. Download the latest Microsoft Windows operating system
patch. On your Internet Explorer toolbar, go to Tools,
select Windows Update then "Scan for updates."
3. Install McAfee Personal Firewall Plus. A secure barrier
between your PC and unauthorized communication, a firewall
will block Sasser-like worms before they can attack your PC.
==> http://us.mcafee.com/root/campaign.asp?cid=10155 (http://us.mcafee.com/root/campaign.asp?cid=10155)
------------------------------------------------------------

Up-to-date McAfee VirusScan users with dat 4356 are protected
from this threat. We also recommend fortifying your
anti-virus software with a firewall. Together, they provide
multi-layered protection against inbound and outbound
malicious code.
Funny, the college I cross-registered to is a tech school, and THEIR e-mail server went down during the same weekend...
while the not-so-tech main college I commute to doesn't seem to have any such problems...


More important stuff:
Quote
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun "avserve.exe" = C:WINDOWSavserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win.log is created on the root of the C: drive.  This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:WINDOWSsystem3211583_up.exe
c:WINDOWSsystem3216913_up.exe
c:WINDOWSsystem3229739_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.  The following Window may be displayed:
(http://vil.nai.com/images/125007.gif)
(http://vil.nai.com/images/125007b.gif)

Method of Infection 
 
This worm spreads by exploiting a recent Microsoft vulnerability, spreading from machine to machine with no user intervention required.

This worm scans random IP addresses for exploitable systems.  When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE.  It creates a remote shell on TCP port 9996.  Next it creates an FTP script named cmd.ftp on the remote host and executes it.  This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host.  The infected host accepts this FTP traffic on TCP port 5554.

The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets.  The destination port is TCP 445.


Title: Another virus outbreak
Post by: Perdition on May 05, 2004, 04:52:48 AM
bah you beat me to it.  my dad told me about this today and I was gonna make a topic about it.  o well


Title: Another virus outbreak
Post by: SS on May 05, 2004, 04:15:01 PM
Pfffft, what's with all that crap info?

Only required information:
USE A FIREWALL AND TURN ON WINDOWS UPDATE!

Do that and 99% of all worms/trojans/etc won't reach your system.

Add decent anti-virus software, and anything you download should be scanned & stopped too.


Title: Another virus outbreak
Post by: RipperRoo on May 05, 2004, 04:48:51 PM
I would, but I cant be arsed to spend the rest of my life configurating a firewall, they piss me off.....


Title: Another virus outbreak
Post by: SS on May 05, 2004, 04:58:50 PM
Just use the Windows firewall then - no need to configure it.

It's not as secure as a proper one once stuff is on your system, but it should stop things getting in in the first place.


Title: Another virus outbreak
Post by: Hyvry1 on May 05, 2004, 07:05:39 PM
The windows firewall will stop viruses slipping in, and all but the hardened of hard hackers.  It is lax when it comes to authenticated software accessing the net, like games, which is good because minimal tweaking/ turning off is required so you can do a bit of online gaming.

Plus i have seen SP2 Beta running, and that has an improved firewall, which is supposed to be one of the best around when it is released.  It even comes with security features that can be configured by the user.
Here is a screenie from a beta tester i know:
(http://www.simviation.com/yabbuploads/SP2pic.jpg)


Title: Another virus outbreak
Post by: SS on May 05, 2004, 07:20:30 PM
Yeah, heard a lot of good stuff about SP2. Can't wait for it to be released.


Title: Another virus outbreak
Post by: RipperRoo on May 05, 2004, 09:31:48 PM
Oooh, ask him to send me his RAM please, he can buy some new stuff....


Title: Another virus outbreak
Post by: Arahen on May 07, 2004, 08:36:40 PM
damit I have the virus >.> blargh but used the windows update stuff and installed that stuff and stuff >.> gah  


Title: Another virus outbreak
Post by: Saladin on May 12, 2004, 12:36:12 AM
another version of it is coming out (of the virus i mean)


Title: Another virus outbreak
Post by: GandalfTheOld on May 21, 2004, 02:29:48 PM
Rather irked by finding that a trojan smuggled itself into a temp cache folder of Mozilla's FireFox...
and I'm wondering which of the damned sites I visited put itself in there... but I can't remember where I went a month ago :|
it's along the lines of:

Documents and Setting/ Your Name / Application Data * / Pheonix/profile/default/...
* hidden folder
 


Title: Another virus outbreak
Post by: SS on May 21, 2004, 02:39:18 PM
Wait, wait... you got a trojan through Firefox? :huh:


Title: Another virus outbreak
Post by: GandalfTheOld on May 21, 2004, 02:56:26 PM
that's right...
although more specifically, through viewing a site with FireFox.
I'm suspecting www.lordsoflegend.com of this... (it had a previous record of having trojan/virus-infected pop-ups and crap before)

why i knew it had to be FireFox?
because I looked at the files in the folders.
let's see... bookmarks, plugins, profiles, user id's and passwords...
cookies, history, search, downloads, etc...

what does it sound like? a browser.
and sure enough, when i looked at the user id's and passwords, they were all for places i've only visited with Mozilla FireFox (among other things, this forum, lordsoflegend, kingsofchaos... etc)

checked out another comp that had FireFox, had the same directory layout, but with little or no cache files in it this time.  (well, i didn't use Mozilla as much on this other comp, so that explains a part of it...)

i'll have to be careful :|


Title: Another virus outbreak
Post by: SS on May 21, 2004, 03:48:45 PM
Heh. I'm rather ambivalent at the moment. It's bad because trojans=evil, and firefox is no longer an added protection against them.
But it's also good because I know some Mozilla/Firefox evangelists who can no longer [validly] say trojans are an IE-only problem. :D


Title: Another virus outbreak
Post by: GandalfTheOld on May 21, 2004, 10:35:44 PM
you know, i was pulling my hair out trying to figure out what program was accessing that "Pheonix" directory in my Documents and Settings folder...
because that name doesn't appear in the Add/Modify Programs list or in the task manager, and i didn't suspect Mozilla until i took a look at the files in the directory... other than the fire relationship between FireFox and Pheonix, there's not much immediate word connection anyway...

what makes me wonder is how trojans/viruses like these would act in non-IE browsers like Mozilla...
maybe not much different? because they are all browsers anyway...


Title: Another virus outbreak
Post by: SS on May 21, 2004, 10:41:28 PM
Heheh. Phoenix was the code-name for Firebird, which turned into Firefox. Which is a bit daft, but there you go.


Title: Another virus outbreak
Post by: GandalfTheOld on May 21, 2004, 10:43:48 PM
ahhh... that explains it...
i didn't know much of FireFox/FireBird's history :|

right now digging through the directories of other browsers to see if there are similar stuff in teh cache... i know i viewed www.lordsoflegend.com many times with regular IE... although with AdMuncher and other stuff active


Title: Another virus outbreak
Post by: GandalfTheOld on May 28, 2004, 01:06:43 AM
Uh... kay...
seems that one of the comps on this LAN got infected with a new strain of worm...
problem? the whole LAN's protected by a router.

tried starting up the comp, the system process SVCHOST.EXE starts to take up 100% of the CPU usage and nothing moves an inch.
force-delete with the Task Manager, another instance of the SVCHOST.EXE starts to take up about 30-40% of the CPU usage, force-delete again.
once that's done, things seem to finally continue... or so you might think.

Norton Antivirus failed to start-up properly, it brings up an error message that it cannot do e-mail protection.
What's more, the computer cannot view websites.
Neither can programs access the internet, and nadda.  Although it seems that the computer can still access the network, and be accessed from the network.

I go into Safe Mode, I do a thorough search...
5-6 instances of a trojan, that's fine, they're deadmeat.
nothing else comes up, so I restart the comp, and see if it starts up properly.

IT DOESN'T.
The same symptoms occur again.

So, 1 out of 4 comps down on this LAN, and I'm betting this WinXP server that I've been running for 31wks 5days 11hrs 25mins will also die if I attempt to restart it.  A version of Norton Antivirus killed my entire access to the internet, including virus definition updates themselves, so I haven't had a proper antivirus program running for that long.

Oh yeah, it's fun.  Probably too late to put up a firewall on this comp...
Take care, everyone, apparently routers aren't enough to stop this new strain, and I'm wondering if firewalls can stop it.

So far, I'm trying to find out what I can about this new worm/virus... if anyone has info, lemme know.

EDIT:
The problem has been solved.
Found out why nothing special appeared on Norton AntiVirus... it WASN'T a worm/virus.
A freakin bunch of spyware crap simply took over most of the bandwidth between that comp and the router... or something along those lines.
Still don't understand why the comp couldn't view websites while it could still access other comps on the same LAN... Mind you, I was able to send files to the comp, and view files through the LAN.
Wonderful lesson on running spyware-detecting programs, eh?


Title: Another virus outbreak
Post by: Uber Peasant on May 28, 2004, 12:48:57 PM
wow.. that exact same thing happened to me about 3 days ago. i got an ad-aware program taht found over 305 spy wares on my machine. nice to know im not hte only target out there   :P  


Title: Another virus outbreak
Post by: FragMaster1972 on May 28, 2004, 01:58:01 PM
bah. once a friend of mine was having his computer checked out by a tech cause it was actin really crappy. one of the first things the tech did was run an a/v program.....and found that every single file on his computer (10,000 plus files) was infected with various viri. beat that.  :ph34r: