Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

Companies alerting to security risk of new W32.Sasser.B.Worm

Posted on 3-May-2004 07:59 | Filed under: News


According to Network Associates the first self-executing worm to attack the MS04-011 vulnerability announced by Microsoft in April is going around the world. McAfee AVERT has raised the risk assessment to medium for W32/Sasser.worm, also known as Sasser, due to its prevalence in the field and its ability to move without the support of email, which has been the primary vehicle of delivery for most of the worms seen recently. This new worm is a self-executable program that spreads by scanning random IP addresses for exploitable systems.

Sasser is a self-executing worm that spreads by exploiting the Microsoft MS04-011 vulnerability. The primary purpose of the worm seems to be to spread to as many vulnerable machines as possible by exploiting un-patched Windows systems, giving it the ability to execute without requiring any action on the part of the user. Once activated the worm copies itself to a folder in the Windows System directory and adds a registry run key to load at system start-up.

After being executed, Sasser scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system by creating a script and executing it. This script instructs the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554.

When W32.Sasser.B.Worm runs, it does the following:

  • Attempts to create a mutex called Jobaka3 and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
  • Copies itself as %Windir%\avserve2.exe.

    --------------------------------------------------------------------------------
    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    --------------------------------------------------------------------------------

  • Adds the value:

    "avserve2.exe"="%Windir%\avserve2.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  • Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

  • Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

  • Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

    Symantec has released a removal tool for this new virus, and McAfee gives these instructions for manual removal:

  • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  • Delete the file AVSERVE.EXE from your WINDOWS directory (typically c:\windows or c:\winnt)
  • Edit the registry, delete the "avserve" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Reboot the system into Default Mode





    • RSS feeds
    Main feed
    Forums feed
    Copyright
    ©2002-2026 Geekzone®
    Site features
    Geekzone BI dashboard
    Geekzone Badges
    Geekzone Status Page

     

    Site Information
    Subscribe to Geekzone
    Privacy Statement
    Forum Usage Guidelines (FUG)
    Advertising
    Trademark and copyright