Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Companies alerting to security risk of new W32.Sasser.B.Worm
Posted on 3-May-2004 07:59 | Tags Filed under: News



According to Network Associates the first self-executing worm to attack the MS04-011 vulnerability announced by Microsoft in April is going around the world. McAfee AVERT has raised the risk assessment to medium for W32/Sasser.worm, also known as Sasser, due to its prevalence in the field and its ability to move without the support of email, which has been the primary vehicle of delivery for most of the worms seen recently. This new worm is a self-executable program that spreads by scanning random IP addresses for exploitable systems.

Sasser is a self-executing worm that spreads by exploiting the Microsoft MS04-011 vulnerability. The primary purpose of the worm seems to be to spread to as many vulnerable machines as possible by exploiting un-patched Windows systems, giving it the ability to execute without requiring any action on the part of the user. Once activated the worm copies itself to a folder in the Windows System directory and adds a registry run key to load at system start-up.

After being executed, Sasser scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system by creating a script and executing it. This script instructs the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554.

When W32.Sasser.B.Worm runs, it does the following:

  • Attempts to create a mutex called Jobaka3 and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
  • Copies itself as %Windir%\avserve2.exe.

    --------------------------------------------------------------------------------
    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
    --------------------------------------------------------------------------------

  • Adds the value:

    "avserve2.exe"="%Windir%\avserve2.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  • Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

  • Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

  • Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

    Symantec has released a removal tool for this new virus, and McAfee gives these instructions for manual removal:

  • Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
  • Delete the file AVSERVE.EXE from your WINDOWS directory (typically c:\windows or c:\winnt)
  • Edit the registry, delete the "avserve" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Reboot the system into Default Mode






  • comments powered by Disqus


    Trending now »

    Hot discussions in our forums right now:

    iPhone 8/iPhone X, impressions?
    Created by surfisup1000, last reply by danza on 23-Sep-2017 11:06 (405 replies)
    Pages... 25 26 27


    Driving an automatic - do you use one foot or both?
    Created by geekIT, last reply by Batman on 23-Sep-2017 05:28 (135 replies)
    Pages... 7 8 9


    Auckland Airport fuel supply obliterated by digger
    Created by Batman, last reply by k1wi on 23-Sep-2017 03:12 (220 replies)
    Pages... 13 14 15


    How to backup/copy an iphone app?
    Created by Batman, last reply by scuwp on 19-Sep-2017 19:37 (24 replies)
    Pages... 2


    Mighty Ape Birthday hunt 2017
    Created by ThePlague, last reply by joshhill96 on 21-Sep-2017 23:11 (22 replies)
    Pages... 2


    IOS 11 email client and Office 365 - heads up people
    Created by gjm, last reply by mattwnz on 20-Sep-2017 17:15 (18 replies)
    Pages... 2


    When did we become America
    Created by BTR, last reply by Fred99 on 22-Sep-2017 12:12 (66 replies)
    Pages... 3 4 5


    Sky blames piracy for lost customers. Sky: it's time to wake up and smell the coffee.
    Created by kingdragonfly, last reply by Rikkitic on 21-Sep-2017 11:10 (482 replies)
    Pages... 31 32 33