Full Version: Alert Worm Due To Exploits Microsoft Lssas.exe Ms-
| QUOTE |
| Sasser worm begins to spread Last modified: May 1, 2004, 10:25 AM PDT By Robert Lemos Staff Writer, CNET News.com update A worm, dubbed Sasser by antivirus firms, was spreading slowly throughout the Internet on Saturday, taking advantage of a vulnerability in unpatched Windows systems to infect new hosts. The Sasser worm began spreading Friday night and seems to be moving at a pace far slower than previous worms such as MSBlast and Code Red, said Alfred Huger, senior director of security firm Symantec's response team. "It is a slow burn," he said. "It is picking up speed, but right now we aren't seeing to much activity." Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section. Symantec initially rated the Sasser worm as a two on its five-point scale of threats. A five is the highest danger rating on the scale. Rival antivirus firm Network Associates rated the threat a medium danger, and the Internet Storm Center, which monitors network threats, raised its general Internet danger level to yellow, essentially a medium rating as well. "Due to the release of this worm, we moved to infocon yellow for the next 24 hrs," the Internet Storm Center site said. "The exact impact is not clear at this point." Security experts did not know how far the worm had spread, but many companies reported some infections, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team. "We have had 25 to 50 reports from companies that have had up to a few hundred machines infected," he said. "One company wanted to patch this weekend, but the worm infected their network first." The creation of the worm didn't surprise the Internet's security community. Security experts widely predicted that a worm would soon start spreading using that particular flaw by exploiting a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS. The Sasser worm spreads from infected computer to vulnerable computer with no user intervention required. The worm scans for vulnerable systems, creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host. The worm opens up the initial connection on a specific application data channel, or port, numbered 9996. After the worm infects the new host, the FTP server listens on port 5554 for new files. The worm uses multiple processes to scan different ranges of Internet addresses. The scans attempt to detect the vulnerable LSASS component on port 445. Microsoft has analyzed the worm and believes it also spreads through port 139. Both are data channels used by the Windows file sharing protocol and, in many cases, are blocked by Internet service providers. A team of Microsoft engineers worked through the night to analyze the worm, said Stephen Toulouse, security program manager for the software giant. "We are still studying the worm, but we do know customers that install the update are protected from Sasser," Toulouse said. The worm will cause the LSASS component of Windows to crash, according to analyses. Infected systems will then perform a 60-second countdown before restarting. Microsoft has created a Web page telling customers how to manually clean up the worm. |
ToToF
Microsoft Pages on the Virus :
h**p://www.microsoft.com/security/incident/sasser.asp
Microsoft Security Bulletin MS04-011 Fix that Block the Worm..
h**p://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
h**p://www.microsoft.com/security/incident/sasser.asp
Microsoft Security Bulletin MS04-011 Fix that Block the Worm..
h**p://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Do pcs stay vuln after the restart?
thx 4 tutorial and links:-)
More info about this worm:
| QUOTE |
W32.Sasser.Worm is a worm that attempts to exploit the MS04-011 vulnerability. It spreads by scanning randomly-chosen IP addresses for vulnerable systems. When W32.Sasser.Worm runs, it does the following: 1. Attempts to create a mutex called Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time. 2. Copies itself as %Windir%avserve.exe. Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:Windows or C:Winnt) and copies itself to that location. 3. Adds the value: "avserve.exe"="%Windir%avserve.exe" to the registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun so that the worm runs when you start Windows. 4. Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer. 5. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts. 6. Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe). The IP addresses generated by the worm are distributed as follows: + 50% are completely random + 25% have the same first octet as the IP address of the infected host + 25% have the same first and second octet as the IP address of the infected host. The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable. |
badly virus the exploits ms0-411 is now finished due to this virus W32.Sasser.Worm. 
.
.
stupid vxers... i got hit by this on a machine i didn't touch in the past year (went on it for the first time in how long and got hit by this stupid thing...) made it shutup by setting up a router i happened to have handy 
Why that stupid virus kiddies always needs to create a virus for a hole... holes are found for security and hacking, not for lame-ass virus kiddies!
It's the same with dcom, they always (filtered) up the shit!
I hope there will be a time they all get caught!
It's the same with dcom, they always (filtered) up the shit!
I hope there will be a time they all get caught!
agreed Alex.. = /
damn those kids are so stupid
what they earn from building a worm?!?
absolutly nothing!
just to make a world panic for few hours and make the exploit almost useless
i cant get it :\
what they earn from building a worm?!?
absolutly nothing!
just to make a world panic for few hours and make the exploit almost useless
i cant get it :\
They just want to let the world see what they are able to.
Respect for that but uhh ... it sucks
They should show their skills in a totally difrent way
Respect for that but uhh ... it sucks
They should show their skills in a totally difrent way
Ya I mean it could prolly be fun to watch ur life form grow and all that, but now everyone will be patched in a week
-niko
-niko
oh my g0d !
this f*cking virus slows all my fast Stros down to 15kb/s .. they were 10mbit
this f*cking virus slows all my fast Stros down to 15kb/s .. they were 10mbit
ya i agree with the above posts, it seems whenever a new good exploit comes out, some stupid script kiddie makes a virus and the exploit is patched within a week. I remember DCOM, that was an awesome exploit, but taht damn worm damned it to hell.
SCRIPT KIDDIES, STOP WRITING VIRUSES AND SHOW YOUR SKILLS BY DOING SOMETHING ELSE!!!!
-DevilishCheese
SCRIPT KIDDIES, STOP WRITING VIRUSES AND SHOW YOUR SKILLS BY DOING SOMETHING ELSE!!!!
-DevilishCheese
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
