Multiple sources confirming today that a new Sasser variant which attempts to exploit the lsass vuln in MS04-011 is in the wild.

Buckle your seatbelts...

SANS Internet Storm Center
http://isc.incidents.org/diary.php?date=20...87bcd6d8f8ef92e

McAfee
http://vil.nai.com/vil/content/v_125008.htm

Symantec
http://securityresponse.symantec.com/avcen...asser.worm.html

from what we are told, the current Sasser worms don't seem to do anything damaging...more of an anoyance.

Ah but there's the catch. Maybe the payload is not destructive, but neither was blaster, and look at the havoc it wreaked.

Cost my company over $3M to clean up the blaster mess. Once one of these gets loose inside a large network with a lot of unpatched machines, it is a nightmare.

Its easier said than done to get 20,000 machines patched, especially when the M$ patch for this is buggy and causes about 1 out of every 30 machines to lock up. Gonna be a suck of a week for me.

a few points.

a. the worm has been in the wild for nearly 4 days

b. if you have a good process then patching many machines isn't difficult it's just something you do.

c. most people will have a process of some type and will have at least some machines patched this time round.

d. i don't believe that 1 in 30 machines are failing.

A) Maybe you have better information than the rest of us, if so, what held you back from sharing that info here?. However, AFAIK, it is the CODE and not the WORM itself which was seen in the wild 4 days ago. Were you aware of a worm IN THE WILD on Thursday last week?

Just curious ... How many machines are you directly responsible for patching?

C) True, some machines are patched, we have some automation, however the reality of managing a large enterprise works a little bit different than most patch management software vendors would have you believe. Many companies (large ones) have opted out of the MS04011 patch because of the bug in it, they are waiting for a new version from MS.

D) You may believe whatever you like, I simply speak from my direct observations

what an idiots make worms!??!?!?!?!?!

any sample ?

Sasser Worm for Microsoft "LSASS.EXE" Buffer Overflow
Exploit code has been publicly posted for the Local Security Authority Service
buffer overflow described in the Microsoft Security Bulletin MS04-011. Multiple
variants of a worm named, Sasser, which use the publicly posted exploit code,
were released on April 30th. The worm runs an FTP server on port 5554/tcp, and
scans randomly generated IP addresses for port 445/tcp. If the ?LSASS.EXE?
exploit code successfully executes on a scanned system, it opens a remote
command shell on port 9996/tcp. This command shell is used to transfer a copy of
the worm binary from the worm?s FTP server to the compromised system, and
execute it.

Council Site Actions: All reporting council sites have already begun patching
their systems for this vulnerability. Several sites have been using the exploit
code to verify the presence of the vulnerability and the effectiveness of the
patches on individual systems.

References:
Prior @RISK newsletter Posting
http://www.sans.org/newsletters/risk/vol3_15.php (Item #1a)
Sasser Worm
http://www.lurhq.com/sasser.html (Analysis)
http://securityresponse.symantec.com/avcen...asser.worm.html
http://securityresponse.symantec.com/avcen...ser.b.worm.html
Exploit Codes
http://www.k-otik.com/exploits/04292004.HO...asrv-expl.c.php
http://www.k-otik.com/exploits/04252004.ms04011lsass.rar
Microsoft KB Article (Solutions to problems with MS04-011 Patch)
http://support.microsoft.com/default.aspx?...kb;EN-US;841382

To all the system admins out there. . . . .

Try setting your systems up with windows update, it can be set to automatically download the updates and install them. Alot better then feeding the updates out with AI builder or some symantec ghost software. Saved me a lot of trouble, the worm hit some of our computers (ones that were nt 4.0) but other than that, it had no effect.

I may have no where to talk, but I'm an administrator at a school with about 700 computers underneath me, and of course because schools in general are cheap, only me.

the worm is easy to get rid of it though...
there are 2 kinds in the wild now (if I am not mistaken)
I just did this @ a friend

Control+Alt+Delete KILL the avserve.exe or avserve2.exe (that's the second kind)
then just delete the file normally in your windir...
for example: C:\windows\avserve(2).exe
remove the key Windows Update or something that refer to this exe in the RUN section of your registry... reboot .. done...
BUT the worm also makes some other exe files.. they won't do anything if I am not mistaken.. after that just run a virusscan and remove those files

Serhat

Worms sucks:

a) they're anyoing to get
its a news on the internet for weeks.... sick of reading about it
c) the worm makes people install the patch which again kills a nice exploits