BPsite Forums
November 01, 2024, 12:49:53 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: BPSITE FOREVER!
 
   Home   Help Search Members Login Register  
Pages: [1] 2
  Print  
Author Topic: Another virus outbreak  (Read 11945 times)
GandalfTheOld
Hero Member
*****
Offline Offline

Posts: 1330



View Profile WWW
« on: May 05, 2004, 03:21:18 AM »

Quote
Subject: VIRUS ADVISORY - W32/Sasser.worm.a & W32/Sasser.worm.b
Date: 2004/05/03 21:52

(((((((((((((((((((( McAfee Dispatch )))))))))))))))))))))))

[This message is brought to you as a subscriber to the
McAfee Dispatch. To unsubscribe, please follow the
instructions at the bottom of this email.]

------------------------------------------------------------
     ** VIRUS ADVISORY - W32/Sasser.worm **
------------------------------------------------------------

Dear vir,

Reminiscent of last summer's Lovsan/MS Blaster worm,
W32/Sasser.worm.a and W32/Sasser.worm.b are Medium Risk
Internet worms that exploit a vulnerability in the Microsoft
Windows operating system, especially 2000 and XP.

You do not need to click anything to become infected. Unlike
typical viruses that arrive inside email attachments, Sasser
worms and their variants attack vulnerable computers when
they connect to the Internet. Infected PCs will repeatedly
reboot and help spread the self-executing worms to other
computers.

------------------------------------------------------------
HOW TO PROTECT YOUR PC:

1. Update your anti-virus DAT file.
2. Download the latest Microsoft Windows operating system
patch. On your Internet Explorer toolbar, go to Tools,
select Windows Update then "Scan for updates."
3. Install McAfee Personal Firewall Plus. A secure barrier
between your PC and unauthorized communication, a firewall
will block Sasser-like worms before they can attack your PC.
==> http://us.mcafee.com/root/campaign.asp?cid=10155
------------------------------------------------------------

Up-to-date McAfee VirusScan users with dat 4356 are protected
from this threat. We also recommend fortifying your
anti-virus software with a firewall. Together, they provide
multi-layered protection against inbound and outbound
malicious code.
Funny, the college I cross-registered to is a tech school, and THEIR e-mail server went down during the same weekend...
while the not-so-tech main college I commute to doesn't seem to have any such problems...


More important stuff:
Quote
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

 HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun "avserve.exe" = C:WINDOWSavserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win.log is created on the root of the C: drive.  This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:WINDOWSsystem3211583_up.exe
c:WINDOWSsystem3216913_up.exe
c:WINDOWSsystem3229739_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.  The following Window may be displayed:



Method of Infection 
 
This worm spreads by exploiting a recent Microsoft vulnerability, spreading from machine to machine with no user intervention required.

This worm scans random IP addresses for exploitable systems.  When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE.  It creates a remote shell on TCP port 9996.  Next it creates an FTP script named cmd.ftp on the remote host and executes it.  This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host.  The infected host accepts this FTP traffic on TCP port 5554.

The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets.  The destination port is TCP 445.
« Last Edit: May 05, 2004, 03:25:47 AM by GandalfTheOld » Logged

koc name:Maaya
Perdition
Hero Member
*****
Offline Offline

Posts: 9364



View Profile WWW
« Reply #1 on: May 05, 2004, 04:52:48 AM »

bah you beat me to it.  my dad told me about this today and I was gonna make a topic about it.  o well
Logged
SS
Administrator
Hero Member
*****
Offline Offline

Posts: 10393



View Profile WWW
« Reply #2 on: May 05, 2004, 04:15:01 PM »

Pfffft, what's with all that crap info?

Only required information:
USE A FIREWALL AND TURN ON WINDOWS UPDATE!

Do that and 99% of all worms/trojans/etc won't reach your system.

Add decent anti-virus software, and anything you download should be scanned & stopped too.
Logged

Peter 'SpectralShadows' Boughton,
Seeker of Perfection, BPsite Sitelord.

Till shade is gone, till water is gone, into the Shadow with teeth bared, screaming
defiance with the last breath, to spit in the Sightblinder's eye on the Last Day.
RipperRoo
Hero Member
*****
Offline Offline

Posts: 4397


View Profile
« Reply #3 on: May 05, 2004, 04:48:51 PM »

I would, but I cant be arsed to spend the rest of my life configurating a firewall, they piss me off.....
Logged

"How could you be intimidated by a woman who had told you in dead seriousness that there were one hundred and seven different kisses, and ninety-three ways to touch a man's face with your hand?" --Min--
"Ohh my feet are getting hotter than a flame grilled otte
SS
Administrator
Hero Member
*****
Offline Offline

Posts: 10393



View Profile WWW
« Reply #4 on: May 05, 2004, 04:58:50 PM »

Just use the Windows firewall then - no need to configure it.

It's not as secure as a proper one once stuff is on your system, but it should stop things getting in in the first place.
Logged

Peter 'SpectralShadows' Boughton,
Seeker of Perfection, BPsite Sitelord.

Till shade is gone, till water is gone, into the Shadow with teeth bared, screaming
defiance with the last breath, to spit in the Sightblinder's eye on the Last Day.
Hyvry1
Sr. Member
****
Offline Offline

Posts: 329



View Profile WWW
« Reply #5 on: May 05, 2004, 07:05:39 PM »

The windows firewall will stop viruses slipping in, and all but the hardened of hard hackers.  It is lax when it comes to authenticated software accessing the net, like games, which is good because minimal tweaking/ turning off is required so you can do a bit of online gaming.

Plus i have seen SP2 Beta running, and that has an improved firewall, which is supposed to be one of the best around when it is released.  It even comes with security features that can be configured by the user.
Here is a screenie from a beta tester i know:
« Last Edit: May 05, 2004, 07:12:25 PM by Hyvry1 » Logged
SS
Administrator
Hero Member
*****
Offline Offline

Posts: 10393



View Profile WWW
« Reply #6 on: May 05, 2004, 07:20:30 PM »

Yeah, heard a lot of good stuff about SP2. Can't wait for it to be released.
Logged

Peter 'SpectralShadows' Boughton,
Seeker of Perfection, BPsite Sitelord.

Till shade is gone, till water is gone, into the Shadow with teeth bared, screaming
defiance with the last breath, to spit in the Sightblinder's eye on the Last Day.
RipperRoo
Hero Member
*****
Offline Offline

Posts: 4397


View Profile
« Reply #7 on: May 05, 2004, 09:31:48 PM »

Oooh, ask him to send me his RAM please, he can buy some new stuff....
Logged

"How could you be intimidated by a woman who had told you in dead seriousness that there were one hundred and seven different kisses, and ninety-three ways to touch a man's face with your hand?" --Min--
"Ohh my feet are getting hotter than a flame grilled otte
Arahen
Hero Member
*****
Offline Offline

Posts: 1654



View Profile WWW
« Reply #8 on: May 07, 2004, 08:36:40 PM »

damit I have the virus >.> blargh but used the windows update stuff and installed that stuff and stuff >.> gah  
Logged

i am a girl so...
Saladin
Hero Member
*****
Offline Offline

Posts: 2071



View Profile WWW
« Reply #9 on: May 12, 2004, 12:36:12 AM »

another version of it is coming out (of the virus i mean)
Logged

I have become Death; destroyer of worlds.
--J. Robert Oppenheimer upon witnessing the explosion of the first atomic bomb
[/font]
We can easily forgive a child who is afraid of the dark. The real tragedy of life is when men are afraid of the light
--Plato
[/font]
GandalfTheOld
Hero Member
*****
Offline Offline

Posts: 1330



View Profile WWW
« Reply #10 on: May 21, 2004, 02:29:48 PM »

Rather irked by finding that a trojan smuggled itself into a temp cache folder of Mozilla's FireFox...
and I'm wondering which of the damned sites I visited put itself in there... but I can't remember where I went a month ago :|
it's along the lines of:

Documents and Setting/ Your Name / Application Data * / Pheonix/profile/default/...
* hidden folder
 
Logged

koc name:Maaya
SS
Administrator
Hero Member
*****
Offline Offline

Posts: 10393



View Profile WWW
« Reply #11 on: May 21, 2004, 02:39:18 PM »

Wait, wait... you got a trojan through Firefox? :huh:
Logged

Peter 'SpectralShadows' Boughton,
Seeker of Perfection, BPsite Sitelord.

Till shade is gone, till water is gone, into the Shadow with teeth bared, screaming
defiance with the last breath, to spit in the Sightblinder's eye on the Last Day.
GandalfTheOld
Hero Member
*****
Offline Offline

Posts: 1330



View Profile WWW
« Reply #12 on: May 21, 2004, 02:56:26 PM »

that's right...
although more specifically, through viewing a site with FireFox.
I'm suspecting www.lordsoflegend.com of this... (it had a previous record of having trojan/virus-infected pop-ups and crap before)

why i knew it had to be FireFox?
because I looked at the files in the folders.
let's see... bookmarks, plugins, profiles, user id's and passwords...
cookies, history, search, downloads, etc...

what does it sound like? a browser.
and sure enough, when i looked at the user id's and passwords, they were all for places i've only visited with Mozilla FireFox (among other things, this forum, lordsoflegend, kingsofchaos... etc)

checked out another comp that had FireFox, had the same directory layout, but with little or no cache files in it this time.  (well, i didn't use Mozilla as much on this other comp, so that explains a part of it...)

i'll have to be careful :|
Logged

koc name:Maaya
SS
Administrator
Hero Member
*****
Offline Offline

Posts: 10393



View Profile WWW
« Reply #13 on: May 21, 2004, 03:48:45 PM »

Heh. I'm rather ambivalent at the moment. It's bad because trojans=evil, and firefox is no longer an added protection against them.
But it's also good because I know some Mozilla/Firefox evangelists who can no longer [validly] say trojans are an IE-only problem. Cheesy
Logged

Peter 'SpectralShadows' Boughton,
Seeker of Perfection, BPsite Sitelord.

Till shade is gone, till water is gone, into the Shadow with teeth bared, screaming
defiance with the last breath, to spit in the Sightblinder's eye on the Last Day.
GandalfTheOld
Hero Member
*****
Offline Offline

Posts: 1330



View Profile WWW
« Reply #14 on: May 21, 2004, 10:35:44 PM »

you know, i was pulling my hair out trying to figure out what program was accessing that "Pheonix" directory in my Documents and Settings folder...
because that name doesn't appear in the Add/Modify Programs list or in the task manager, and i didn't suspect Mozilla until i took a look at the files in the directory... other than the fire relationship between FireFox and Pheonix, there's not much immediate word connection anyway...

what makes me wonder is how trojans/viruses like these would act in non-IE browsers like Mozilla...
maybe not much different? because they are all browsers anyway...
Logged

koc name:Maaya
Pages: [1] 2
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!