Friday, May 21, 2004

W32 Sasser Worm

Most viruses infect your PC by an attachment to an email,
and as long as your Antivirus is up-to date you're OK (in most
cases). The newest member of the virus community has reinvented
the wheel with some new procedure for infecting PCs. The 32
Sasser Worm doesn't attach itself to your email, instead it proactively
takes advantage of another Windows vulnerability. This might make
you feel a little insecure or confused on how to protect yourself, but
don't worry I'll do my best to get everyone up-to-speed so you can be
prepared.

If the 32 Sasser doesn't use email attachments to infect PCs then
how does spread, and how do you catch it? The Virus scans
randomly generated IP addresses looking for vulnerability in the
LSASS.exe (Local Security Authority Subsystem Service). Once the
virus finds a vulnerable system it overloads the buffer in LSASS.exe
and installs a shell code that executes and connects to the FTP
server (installed on the originally infected PC) and downloads the worm.
Once the Worm is in place it starts generating IP addresses and tries
to infect other PCs.

In addition to trying to spread to other PCs the program will also cause
a serious slow-down of system performance by continuously wasting
your systems' resources, slowing your PC down and even causing
reboots. The 32 Sasser can infect only Windows XP and 2000 but 95,
98, and Me can help spread the virus without being infected. The port
that Sasser uses to enter other PCs is TC port 445, and the backdoor
ports used for the FTP remote shell and FTP server port are 9996 and
5554 respectfully. Huh? OK, let's go on to prevention.

To avoid infection make sure that you are up-to-date in both your
Anti-Virus and with Windows. If you already have Windows Update
patch 835732, then you are protected. If you're infected there are
removal tools at both
McAfee http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008,
and Norton's http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

No comments: