Sasser internet worm attacks unpatched PCs


Sasser internet worm attacks unpatched PCs (English Version Only)

May 06, 2004

Description

W32.Sasser worm and variants is a worm that attempts to exploit the Microsoft Windows LSASS vulnerability MS04-011.

W32.Sasser worm variants discovered by antivirus vendor:

  • W32.Sasser.A worm
  • W32.Sasser.B worm
  • W32.Sasser.C worm (Updated on 4May 2003)
  • W32.Sasser.D worm (Updated on 4May 2003)

The worms spreads by scanning randomly-chosen IP addresses and attempts to connect to the vulnerable computer on TCP port 445. If it connects successfully, it sends a specially crafted packet to expliot this vulnerability.

Once the computer is attacked by the worm, the following message boxes may appear:

The worm uses this to open a remote shell, listening on TCP port 9996 (W32.Sasser.A - C worm) or 9995 (W32.Sasser.D worm). It connects to this port and uses the shell to create an ftp script called "cmd.ftp" on the system directory of infected computer. The script instructs the infected computer to download and execute a copy of the worm via FTP. The FTP server listens on TCP port 5554 on all infected computers with the purpose of serving out the worm for other computer that are being infected. Transactions through the FTP server are logged to 'C:\win.log'.

 

Windows 95/98/Me and Windows NT/2000/XP/2003

W32/Sasser-A, W32/Sasser-B and W32/Sasser-D can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

 

Windows disinfector

SASSGUI is a disinfector for standalone Windows computers

  • open SASSGUI
  • run it
  • then click GO.

If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.

After removing the worm you should install the Microsoft patch MS04-011 or, on single computers, update with all relevant security patches from Windows update.

 

Command line disinfector

SASSSFX.EXE is a self-extracting archive containing SASSCLI, a Resolve command line disinfector for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.

After removing the worm you should install the Microsoft patch MS04-011 or, on single computers, update with all relevant security patches from Windows update.

 

Other platforms

To remove W32/Sasser-A, W32/Sasser-B and W32/Sasser-D on other platforms please follow the instructions for removing worms.

 

Related Link(s)

For more information, please refer to the following websites.

Information from Computer Associates : variants A, B, C, D
Information from F-Secure : variants A, B, C, D
Information from McAfee : variants A, B, C, D
Information from Norman : variants A , B
Information from Sophos : variants A, B, D
Information from Symantec : variants A , B, C, D
Information from Trend Micro : variants A , B, C, D

For more information, please refer to the following websites.

http://www.hkcert.org




News Contact

Service Hotline: (852) 2998 0808
Fax: (852) 29977800
Email: [email protected]

Latest News
server maintenance, maintenance service ACRONIS Backup Solution, ACRONIS 備份方案, Virtual Private Server MyVPS hosting, web hosting, hosting hk, cloud hosting, ssd hosting, SSD 網站寄存, Unix Hosting, Windows Hosting Malaysia Server, Singapore Server, USA Server, Taiwan Server, Japan Server, China Server dedicated server, Dell 伺服器租用, Dell Server Rental colocation, server colocation, colocation hk, hk datacenter, 伺服器託管, 托管伺服器, 香港數據中心 ssd email, cloud email, Email Server Rental, Spam Controller, Global SMTP, Smart Email System, Catch SMTP, Offline Email Backup, Secondary MX Record 7x24