W32.Sasser.B.Worm

Discovered on: May 01, 2004
Last Updated on: May 02, 2004 02:34:21 PM

W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems.



--------------------------------------------------------------------------------
Notes:
The MD5 hash value for this worm is 0x1A2C0E6130850F8FD9B9B5309413CD00.
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.B.Worm.

--------------------------------------------------------------------------------



Variants: W32.Sasser.Worm
Type: Worm
Infection Length: 15872 bytes



Systems Affected: Windows 2000, Windows Server 2003, Windows XP

When W32.Sasser.B.Worm runs, it does the following:

Attempts to create a mutex called Jobaka3 and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.

Copies itself as %Windir%\avserve2.exe.


--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------


Adds the value:

"avserve2.exe"="%Windir%\avserve2.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.


Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.


Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html

 

A newer, better-built version of the Sasser worm has boosted the infectiousness of the original, spreading to more than 10,000 computers over the weekend, antivirus company Symantec said on Monday.

The new worm, Sasser.B, like its predecessor Sasser.A, takes advantage of a vulnerability in unpatched versions of Windows XP and Windows 2000 systems. The worms infect vulnerable systems by establishing a remote connection to the targeted computer, installing a file transfer protocol (FTP) server and then downloading themselves to the new host.

Read Article

 

Trend Newsletter: WORM_SASSER.B

WORM_SASSER.B, a variant of the SASSER worm, exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of infected systems. This vulnerability is discussed in detail in Microsoft Security Bulletin MS04-011.

Upon execution, this memory-resident worm drops a copy of itself in the Windows folder as AVSERVE2.EXE. It then adds a registry entry that allows it to automatically execute at every system startup.

This SASSER variant creates the following mutex:

• Jobaka3
• JumpallsNlsTillt

If an instance of JumpallsNlsTillt is found, this worm does not proceed with its execution.

To propagate on systems running Windows XP and Windows 2000 Professional, this worm creates 128 execution threads that generate random IP addresses. (The worm creates 128 threads at 25 ms, which results in 5,120 attacks per second.) It then sends a specially crafted packet of these addresses to TCP port 445. The sent packet causes a buffer overflow on LSASS.EXE and runs a remote shell on vulnerable machines. TCP port 445 is a valid port used by Windows 2000 to transport Server Message Block (SMB) data over TCP and UDP.

Windows 2003 Server is also vulnerable to the LSASS exploit, as reported by Microsoft in its Security Bulletin. Due to the method in which SASSER utilizes the exploit, this worm is unable to infect Windows 2003 Server.

The remote shell listens to port 9996 for further commands from this worm, and allows the worm to manipulate the vulnerable machine. From its remote location, this worm sends in commands to the remote shell so that an FTP script file CMD.FTP is generated. It also commands the remote shell to run the FTP script. The FTP script downloads a copy of this worm from the originally infected system to the machine running the shell.

After the download, this worm deletes the file CMD.FTP from the newly infected system. It also generates a log file WIN2.LOG in the root directory. This file contains the number of remote systems that the host system has infected and the IP address of the most recently infected system.

This worm produces a buffer overflow in LSASS.EXE, causing the program to crash, which requires Windows to restart.

If you would like to scan your computer for WORM_SASSER.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

WORM_SASSER.B is detected and cleaned by Trend Micro pattern file #883 and above.