Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Companies alerting to security risk of new W32.Sasser.B.Worm
Posted on 3-May-2004 07:59. | Tags Filed under: News.



According to Network Associates the first self-executing worm to attack the MS04-011 vulnerability announced by Microsoft in April is going around the world. McAfee AVERT has raised the risk assessment to medium for W32/Sasser.worm, also known as Sasser, due to its prevalence in the field and its ability to move without the support of email, which has been the primary vehicle of delivery for most of the worms seen recently. This new worm is a self-executable program that spreads by scanning random IP addresses for exploitable systems.

Sasser is a self-executing worm that spreads by exploiting the Microsoft MS04-011 vulnerability. The primary purpose of the worm seems to be to spread to as many vulnerable machines as possible by exploiting un-patched Windows systems, giving it the ability to execute without requiring any action on the part of the user. Once activated the worm copies itself to a folder in the Windows System directory and adds a registry run key to load at system start-up.

After being executed, Sasser scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system by creating a script and executing it. This script instructs the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554.

When W32.Sasser.B.Worm runs, it does the following:

  • Attempts to create a mutex called Jobaka3 and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
  • Copies itself as %Windir%\avserve2.exe.

    --------------------------------------------------------------------------------
    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    --------------------------------------------------------------------------------

  • Adds the value:

    "avserve2.exe"="%Windir%\avserve2.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  • Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

  • Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

  • Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

    Symantec has released a removal tool for this new virus, and McAfee gives these instructions for manual removal:

  • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  • Delete the file AVSERVE.EXE from your WINDOWS directory (typically c:\windows or c:\winnt)
  • Edit the registry, delete the "avserve" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Reboot the system into Default Mode



  • comments powered by Disqus




    Trending now »

    Hot discussions in our forums right now:

    Gareth Morgan is a genius
    Created by Satch, last reply by rmt38 on 10-Dec-2016 06:36 (153 replies)
    Pages... 9 10 11


    NZ Prime Minister John Key Resigns
    Created by ajobbins, last reply by elpenguino on 9-Dec-2016 12:44 (217 replies)
    Pages... 13 14 15


    The President Of The USA - Who do you think?
    Created by TimA, last reply by DarthKermit on 8-Dec-2016 16:22 (909 replies)
    Pages... 59 60 61


    Spark wireless broadband and home /lan access: CGNAT limitations
    Created by yokkem, last reply by BarTender on 8-Dec-2016 15:57 (19 replies)
    Pages... 2


    Spark not planning to deploy native IPv6 at all. Ever.
    Created by Erayd, last reply by sbiddle on 7-Dec-2016 20:57 (19 replies)
    Pages... 2


    Woooaaahh earthquake 2016-11-14
    Created by Fred99, last reply by DarthKermit on 9-Dec-2016 16:16 (471 replies)
    Pages... 30 31 32


    Wilson's Car Park - When Free is not free
    Created by nzkiwiman, last reply by cr250bromo on 9-Dec-2016 09:30 (51 replies)
    Pages... 2 3 4


    JB Hifi Cost & GST Sale - 7th Dec
    Created by Finch, last reply by Kopkiwi on 7-Dec-2016 15:11 (16 replies)
    Pages... 2