Virus/Worm Alert - W32.Sasser.Worm

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Kevin P
    Member
    • Aug 2000
    • 10809

    Virus/Worm Alert - W32.Sasser.Worm

    ALERT ALERT, Danger Will Robinson!

    There is a new worm going around which is reminiscent of the Blaster worm that hit last summer. It's called Sasser and there's more information available here:

    Symantec writeup
    F-Secure writeup

    If you're running XP and are hit, it could shut down with an LSASS error (similar to the way Blaster caused XP systems to crash).

    A patch is available from Microsoft to close the vulnerability the worm is using to get in.
    MS Security Bulletin MS04-011

    The good news is that it isn't spreading as fast as Blaster did when it hit. A lot of home ISPs now block port 445 which is probably slowing the spread. But if your ISP doesn't do this, and you don't have a firewall or the MS04-011 patch, you could be vulnerable.
  • Kevin P
    Member
    • Aug 2000
    • 10809

    #2
    W32.Sasser.B.Worm

    There's a 2nd variant of Sasser spreading now:

    Symantec write-up

    Both Sasser variants are a category 3 (medium threat). If you have a firewall and have the April 2004 MS patches you'll be safe from this one.

    I'm not looking forward to going into work tomorrow, since I'll bet we'll have a few infected/crashed PCs waiting, after what happened with Blaster last summer... :roll:

    Comment

    • Kevin P
      Member
      • Aug 2000
      • 10809

      #3
      Windows 2000/2003/XP Patches

      To protect yourself from the Sasser Worm, you need to install the KB835732 patch from Microsoft. Only Windows 2000, Windows XP, and Windows Server 2003 are vulnerable and need to be patched.

      Microsoft Security Bulletin MS04-011 LSASS Buffer Overflow Vulnerability

      The easiest way to patch your system is to use the Windows Update site. But if you want or need to patch manually, or have several machines to patch, you should download the patches from the URLs listed below.

      KB835732 patches for Windows Security Update MS04-011

      MS04-011 Patch for all Windows 2000 Versions

      MS04-011 for all 32-Bit Windows XP Versions

      MS04-011 Patch for 32-Bit Windows 2003 Server Versions

      The following are for 64-bit versions only:

      MS04-011 Patch for 64-Bit Windows 2003 Server Versions

      MS04-011 Patch for 64-Bit Windows XP Server Version 2003

      MS04-011 Patch for 64-Bit Windows XP Server SP1

      The following are removal tools for Sasser and Sasser.B:

      KB841720 - Sasser.A and Sasser.B Worm Removal Tool

      Sasser Removal Tool by Symantec

      Sasser Removal Tool by F-Secure

      Comment

      • GregoriusM
        Super Senior Member
        • Oct 2000
        • 2755

        #4
        If I have lsass.exe running as one of my system processes, does that mean that I have the worm?

        I can shutdown and restart just fine, and access the internet just fine.

        ???

        Gregor
        .
        Gregor

        Comment

        • Kevin P
          Member
          • Aug 2000
          • 10809

          #5
          Originally posted by GregoriusM
          If I have lsass.exe running as one of my system processes, does that mean that I have the worm?

          I can shutdown and restart just fine, and access the internet just fine.

          ???

          Gregor
          Nope, lsass.exe is part of Windows. It contains a buffer overflow vulnerability, which Sasser uses to worm its way in, if you don't have the latest MS patches.

          If you see one or more of the following running processes, then you're infected:
          • avserve.exe
          • avserve2.exe
          • skynetave.exe
          • #####_up.exe (where ##### are numeric digits)


          Also if you're infected, or vulnerable and the worm is trying to get in, it can cause the aforemented lsass.exe to crash, which results in the dreaded "system is shutting down in 60 seconds" message (in XP anyway). You can abort the shutdown from a command prompt by typing shutdown -a.

          Comment

          • Kevin P
            Member
            • Aug 2000
            • 10809

            #6
            A teenager was arrested in Germany in connection with the releasing of the Sasser and Netsky worms:

            Yahoo! News Article

            It seems that they were all (or mostly) written by one guy.

            Comment

            • Lex
              Moderator Emeritus
              • Apr 2001
              • 27461

              #7
              Kevin, your doing an outstanding job keeping us informed. Very helpful!

              I hear he released another one right before he got caught that was supposed to undo some of what he's done. But they said it wouldn't work like that. It's just another stripped down version of sasser.

              Lex
              Doug
              "I'm out there Jerry, and I'm loving every minute of it!" - Kramer

              Comment

              Working...
              😀
              😂
              🥰
              😘
              🤢
              😎
              😞
              😡
              👍
              👎
              Searching...Please wait.
              An unexpected error was returned: 'Your submission could not be processed because you have logged in since the previous page was loaded.

              Please push the back button and reload the previous window.'
              An unexpected error was returned: 'Your submission could not be processed because the token has expired.

              Please push the back button and reload the previous window.'
              An internal error has occurred and the module cannot be displayed.
              There are no results that meet this criteria.
              Search Result for "|||"