Subject: VIRUS ADVISORY - W32/Sasser.worm.a & W32/Sasser.worm.b
Date: 2004/05/03 21:52
(((((((((((((((((((( McAfee Dispatch )))))))))))))))))))))))
[This message is brought to you as a subscriber to the
McAfee Dispatch. To unsubscribe, please follow the
instructions at the bottom of this email.]
------------------------------------------------------------
** VIRUS ADVISORY - W32/Sasser.worm **
------------------------------------------------------------
Dear vir,
Reminiscent of last summer's Lovsan/MS Blaster worm,
W32/Sasser.worm.a and W32/Sasser.worm.b are Medium Risk
Internet worms that exploit a vulnerability in the Microsoft
Windows operating system, especially 2000 and XP.
You do not need to click anything to become infected. Unlike
typical viruses that arrive inside email attachments, Sasser
worms and their variants attack vulnerable computers when
they connect to the Internet. Infected PCs will repeatedly
reboot and help spread the self-executing worms to other
computers.
------------------------------------------------------------
HOW TO PROTECT YOUR PC:
1. Update your anti-virus DAT file.
2. Download the latest Microsoft Windows operating system
patch. On your Internet Explorer toolbar, go to Tools,
select Windows Update then "Scan for updates."
3. Install McAfee Personal Firewall Plus. A secure barrier
between your PC and unauthorized communication, a firewall
will block Sasser-like worms before they can attack your PC.
==>
http://us.mcafee.com/root/campaign.asp?cid=10155------------------------------------------------------------
Up-to-date McAfee VirusScan users with dat 4356 are protected
from this threat. We also recommend fortifying your
anti-virus software with a firewall. Together, they provide
multi-layered protection against inbound and outbound
malicious code.
Funny, the college I cross-registered to is a tech school, and THEIR e-mail server went down during the same weekend...
while the not-so-tech main college I commute to doesn't seem to have any such problems...
More important stuff:
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows
CurrentVersionRun "avserve.exe" = C:WINDOWSavserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.
A file named win.log is created on the root of the C: drive. This file contains the IP address of the localhost.
Copies of the worm are created in the Windows System directory as #_up.exe.
Examples
c:WINDOWSsystem3211583_up.exe
c:WINDOWSsystem3216913_up.exe
c:WINDOWSsystem3229739_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs. The following Window may be displayed:
Method of Infection
This worm spreads by exploiting a recent Microsoft vulnerability, spreading from machine to machine with no user intervention required.
This worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE. It creates a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host. The infected host accepts this FTP traffic on TCP port 5554.
The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445.