Info:  Main    About    Contact    Sitemap

Mini-sites: Viruses        Cookies        Firewalls        Popups        Privacy        Safety       Spam       Spyware
   

Home

Store

How to Protect Yourself from Viruses

Antivirus Reviews

Antivirus FAQs

Antivirus Checklist

Antivirus Top 10 Tips

Antivirus Tutorial

Kazaa the Virus Desktop

Worms vs. Viruses

Virus Glossary

 

Today's Alerts

Antivirus Testing

Virus Scan

Security Directory

Virus Threats

Virus Removal Tools

Virus Hoaxes

Antivirus Links

Newsletter

 

 
 

W32.Sasser.B.Worm

Note: Norton Antivirus 2003 Professional and Norton Personal Firewall 2003 or Norton Internet Security 2003 is the only full defense for this worm.  You can also download a  Sasser removal tool, but remember this is a worm not just a virus.


W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. This worm spreads by scanning randomly selected IP addresses of vulnerable systems.

W32.Sasser.B.Worm differs from W32.Sasser.Worm as follows:

  • Uses a different mutex: Jobaka3.
  • Uses a different file name: avserve2.exe.
  • Has a different MD5.
  • Creates a different value in the registry: "avserve2.exe."
Notes:
  • The MD5 hash value of this worm is 0x1A2C0E6130850F8FD9B9B5309413CD00.
  • Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.B.Worm.
  • Block TCP ports 5554, 9996, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.

W32.Sasser.B.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly run, including our removal tool. (On Windows 95/98/Me computers, the tool should be run in Safe mode.)


Security Response has upgraded W32.Sasser.B.Worm to a Category 4 from a Category 3 based on an increased submission rate.

 
Also Known As: WORM_SASSER.B [Trend], W32/Sasser.worm.b [McAfee], Worm.Win32.Sasser.b [Kaspersky], W32/Sasser-B [Sophos], Win32.Sasser.B [Computer Associates], Sasser.B [F-Secure], W32/Sasser.B.worm [Panda], Win32/Sasser.B.worm [RAV], W32/Sasser.B [F-Prot]
Variants: W32.Sasser.Worm
Type: Worm
Infection Length: 15,872 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003
CVE References: CAN-2003-0533

THREAT ASSESSMENT

Wild:

  • Number of infections: More than 1000
  • Number of sites: More than 10
  • Geographical distribution: High
  • Threat containment: Easy
  • Removal: Moderate

 

Damage

  • Payload Trigger: n/a
  • Payload: n/a
    • Large scale e-mailing: n/a
    • Deletes files: n/a
    • Modifies files: n/a
    • Degrades performance: Causes significant performance degradation
    • Causes system instability: n/a
    • Releases confidential info: n/a
    • Compromises security settings: n/a

Distribution

  • Subject of email: n/a
  • Name of attachment: n/a
  • Size of attachment: n/a
  • Timestamp of attachment: n/a
  • Ports: TCP 445, 5554, 9996
  • Shared drives: n/a
  • Target of infection: Unpatched systems vulnerable to LSASS exploit - MS04-011.

TECHNICAL DETAILS

When W32.Sasser.B.Worm runs, it does the following:

  1. Attempts to create a mutex named JumpallsNlsTillt and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.
  2. Attempts to create a mutex named Jobaka3. This mutex does not serve any apparent purpose.
  3. Copies itself as %Windir%\Avserve2.exe.
    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  4. Adds the value:

    "avserve2.exe"="%Windir%\avserve2.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.
  5. Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer.
  6. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
  7. Iterates through all the host IP addresses, looking for addresses without any of the following:
    • 127.0.0.1
    • 10.x.x.x
    • 172.16.x.x - 172.31.x.x (inclusive)
    • 192.168.x.x
    • 169.254.x.x
  8. Using one of these IP addresses, the worm then generates a random IP address.
    • 52% of the time, the IP address is completely random.
    • 23% of the time, the last three octets are changed to random numbers.
    • 25% of the time, the last two octets are changed to random numbers.
      Notes:
    • An octet is an 8-bit section of an IP address. For example, if A.B.C.D is an IP address, A is the first octet, B is the second, C is the third, and D is the fourth.
    • Because the worm can create completely random addresses, any IP range can be infected.
    • This process is composed of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.

  9. Connects to the randomly generated IP address on TCP port 445 to determine whether a remote computer is online.
  10. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.
  11. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.
  12. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.
  13. Creates a file at C:\win2.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.



Symantec Firewall/VPN 100/200 Series
By default, Symantec's stateful inspection firewall technology prevents an attacker from accessing TCP/445 on internal systems and the backdoor ports on the infected systems (TCP/5554, TCP/9996).


RECOMMENDATIONS

All users and administrators should adhere to the following basic security "best practices":

  • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
  • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.


Removal using the W32.Sasser Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.B.Worm. Use this removal tool first, as it is the easiest way to remove this threat.

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. End the malicious process (Windows NT/2000/XP).
  2. Disable System Restore (Windows XP).
  3. Update the virus definitions.
  4. Run a full system scan and delete all the files detected as W32.Sasser.B.Worm.
  5. Reverse the change made to the registry.
For details on each of these steps, read the following instructions.

1. To end the malicious process
On Windows NT/2000/XP computers, you must first end the malicious process:
  1. Press Ctrl+Alt+Delete once.
  2. Click Task Manager.
  3. Click the Processes tab.
  4. Double-click the Image Name column header to alphabetically sort the processes.
  5. Scroll through the list and look for the following processes:
    • avserve2.exe
    • any process with a name consisting of four or five digits, followed by _up.exe (for example, 74354_up.exe).
  6. If you find any such process, click it, and then click End Process.
  7. Exit the Task Manager.
2. To disable System Restore (Windows XP)
If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or "How to turn off or turn on Windows XP System Restore"
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
.

3. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate.

4. To scan for and delete the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.Sasser.B.Worm, click Delete.

5. To reverse the change made to the registry
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)
  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, delete the value:

    "avserve2.exe"="%Windir%\avserve2.exe"
  5. Exit the Registry Editor.

©2000-2004 by SurferBeware.com. All rights reserved.
Hosting provided by Digital Crossing, inc.

   Internet Content Rating Association

Top Threats

 3 

07-26

W32.Mydoom.M@mm

 3 

07-19

W32.Beagle.AG@mm

 3 

07-15

W32.Beagle.AB@mm

 3 

06-01

W32.Korgo.F
 

SPONSORS