Mikes VirusInfo - Sasser worm

Sasser Worms Exploit Microsoft Vulnerability
From;Esecurityplanet May 3, 2004

Several security vendors Monday issued medium to high threat alerts for different variants of Sasser, a network worm that spreads by exploiting the Microsoft LSASS vulnerability on port 445.

For further information on this vulnerability see Microsoft Security Bulletin MS04-011 here.

According to Sophos, the latest variant, W32/Sasser-D, when first run copies itself to the Windows folder with the filename skynetave.exe and creates the following registry entry, so the worm is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
skynetave.exe = %WINDOWS%\skynetave.exe

A harmless text file is created in the C:\ root folder named win2.log.

Another variant, W32/Sasser-B, when first run also copies itself to the Windows folder as avserve2.exe and creates the following registry entry, so that avserve2.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ avserve2.exe = %WINDOWS%\avserve2.exe

A harmless text file is created in the C:\ root folder named win2.log.

Find out more about the Sasser worm at this Sophos page.

The number of computers affected by the Sasser worm continues to rise, and the situation is expected to worsen, according to Panda Software. New variants are also likely to emerge and the vendor has issued a red alert.

The Sasser worms are particularly dangerous for corporate environments as they can spread across networks in a matter of seconds. Both the French Stock Exchange and the France Presse news agency have fallen victim to this new malicious code and their communications were affected on Saturday, Panda Software reports.

The situation appears to be even more serious as the creators of the worm are coordinating the continuous launch of new variants in order to increase the probability of infection. PandaLabs has also detected the presence of Sasser.C, which can launch up to 1024 process in memory, making it potentially far more virulent than its predecessors.

The appearance of the new Sasser worms is seemingly directly linked to the wave of viruses blighting the Internet over the last few months. PandaLabs has also detected the new Netsky.AC worm, which like its predecessors contains a message hidden inside its code. On this occasion however, there are no insulting messages to the authors of other worms such as Bagle or Mydoom, but instead a message directed at antivirus vendors. The message claims that the authors are also responsible for the Sasser worms:

Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...' Here is an part of the sasser sourcecode you named so, lol

Panda Software is emphasizing the importance of installing the Microsoft patch to ensure that Sasser.A doesn't re-infect computers. The vulnerability exploited by this worm was reported by Microsoft recently in bulletin MS04-011.

More information about the Sasser worm is at this Panda Software page.

Symantec has also issued an alert for W32.Sasser.B.Worm and W32.Sasser.C.Worm, a minor variant of W32.Sasser.B.Worm.

The C variant attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems. This particular variant spawns 1024 threads for the infection routine, where as previous variant W32.Sasser.B.Worm uses 128 threads.

The B variant attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems.

Technical details on the B variant are at this Symantec page.

Technical details on the C variant are at this Symantec page.

McAfee is reporting the appearance of the A, B C and D variants of the Sasser worm--and has rated the A and B variants a medium threat level.

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)]

The B variant spreads with the file name: avserve2.exe. Unlike many recent worms, this virus does not spread via email. No user intervention is required to become infected or propagate the virus further. The worm works by instructing vulnerable systems to download and execute the viral code.

The virus copies itself to the Windows directory as avserve2.exe and creates a registry run key to load itself at startup: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "avserve2.exe" = C:\WINDOWS\avserve2.exe

As the worm scans random IP addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win2.log is created on the root of the C: drive. This file contains an IP address.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples are:
c:\WINDOWS\system32\11583_up.exe
c:\WINDOWS\system32\16913_up.exe
c:\WINDOWS\system32\29739_up.exe

A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.

Find out more at this McAfee page.

According to F-Secure, Sasser is an Internet worm spreading through the MS04-011 (LSASS) vulnerability.

This vulnerability is caused by a buffer overrun in the Local Security Authority Subsystem Service, and will affect all machines that are:

--Running Windows XP or Windows 2000
--Haven't been patched against this vulnerability
--Are connected to the Internet without a firewall

Sign of infection is the existence of a file named 'C:\win.log' and frequent crashes of 'LSASS.EXE'.

Sasser generates traffic on TCP ports 445, 5554 and 9996.

More information is at this F-Secure page.

Trend Micro has declared a Red alert to control the spread of the Sasser malware. Several infection reports have been received indicating that this worm is spreading across the globe.

This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of affected systems. This vulnerability is discussed in detail in the following pages:
MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011

To propagate, this worm sends a specially-crafted packet to TCP port 445 of random IP addresses. However it skips certain RFC 1918-reserved addresses. The packet causes a buffer overrun on vulnerable systems, which results in the execution of a remote shell that opens port 9996. This worm commands the remote shell to download its copy from the original infected source via port 5554 using FTP.

Technical details are at this Trend Micro page.

--Compiled by Esther Shein