Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Companies alerting to security risk of new W32.Sasser.B.Worm
Posted on 3-May-2004 07:59 | Filed under: News



According to Network Associates the first self-executing worm to attack the MS04-011 vulnerability announced by Microsoft in April is going around the world. McAfee AVERT has raised the risk assessment to medium for W32/Sasser.worm, also known as Sasser, due to its prevalence in the field and its ability to move without the support of email, which has been the primary vehicle of delivery for most of the worms seen recently. This new worm is a self-executable program that spreads by scanning random IP addresses for exploitable systems.

Sasser is a self-executing worm that spreads by exploiting the Microsoft MS04-011 vulnerability. The primary purpose of the worm seems to be to spread to as many vulnerable machines as possible by exploiting un-patched Windows systems, giving it the ability to execute without requiring any action on the part of the user. Once activated the worm copies itself to a folder in the Windows System directory and adds a registry run key to load at system start-up.

After being executed, Sasser scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system by creating a script and executing it. This script instructs the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554.

When W32.Sasser.B.Worm runs, it does the following:

  • Attempts to create a mutex called Jobaka3 and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
  • Copies itself as %Windir%\avserve2.exe.

    --------------------------------------------------------------------------------
    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    --------------------------------------------------------------------------------

  • Adds the value:

    "avserve2.exe"="%Windir%\avserve2.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  • Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

  • Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

  • Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

    Symantec has released a removal tool for this new virus, and McAfee gives these instructions for manual removal:

  • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  • Delete the file AVSERVE.EXE from your WINDOWS directory (typically c:\windows or c:\winnt)
  • Edit the registry, delete the "avserve" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Reboot the system into Default Mode









  • Twitter and LinkedIn »



    Follow us to receive Twitter updates when new discussions are posted in our forums:



    Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



    Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



    Trending now »

    Hot discussions in our forums right now:

    Why don't todays cars have dash cams facilities by Default or Option?
    Created by FineWine, last reply by empacher48 on 17-Jan-2020 16:41 (37 replies)
    Pages... 2 3


    Need urgent help to get Slingshot email off blacklist
    Created by Vankur, last reply by bameron on 17-Jan-2020 16:07 (16 replies)
    Pages... 2


    Legal requirement to show GST on invoice (from a big retailer)?
    Created by tripp, last reply by BlinkyBill on 18-Jan-2020 18:07 (15 replies)

    Best way to virtualise Win7 pc for use on a Win10 pc???
    Created by kiwifidget, last reply by Kiwifruta on 15-Jan-2020 19:40 (13 replies)

    Teamviewer still down after Scheduled Maintenance Jan 15/16
    Created by wratterus, last reply by wratterus on 16-Jan-2020 14:07 (12 replies)

    Letting slower passengers board airplane first really is faster - Science!
    Created by Shindig, last reply by Senecio on 18-Jan-2020 16:55 (23 replies)
    Pages... 2


    Westpac to move 250 employees from Wellington to Auckland
    Created by Rmani, last reply by Hammerer on 17-Jan-2020 16:59 (22 replies)
    Pages... 2


    Which ISP to switch to?
    Created by Dochart, last reply by Mahon on 18-Jan-2020 21:27 (21 replies)
    Pages... 2