W32.Sasser worm and variants

Description

W32.Sasser worm and variants is a worm that attempts to exploit the Microsoft Windows LSASS vulnerability MS04-011.

There are several worms discovered by antivirus vendor:

• W32.Sasser.A worm
• W32.Sasser.B worm

The worms spreads by scanning randomly-chosen IP addresses and attempts to connect to the vulnerable computer on TCP port 445. If it connects successfully, it sends a specially crafted packet to expliot this vulnerability.

Once the computer is attacked by the worm, the following message boxes may appear:

The worm uses this to open a remote shell, listening on TCP port 9996. It connects to this port and uses the shell to create an ftp script called "cmd.ftp" on the system directory of infected computer. The script instructs the infected computer to download and execute a copy of the worm via FTP. The FTP server listens on TCP port 5554 on all infected computers with the purpose of serving out the worm for other computer that are being infected. Transactions through the FTP server are logged to 'C:\win.log'.

The worm variants also exhabit slight differences. The specific characteristics of each variants are decribed below:

W32.Sasser.A worm

The worm also copies itself as avserve.exe and adds the value:

"avserve.exe"="%Windir%\avserve.exe"

to the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

so that it runs when you start Windows.

W32.Sasser.B worm

The worm also copies itself as avserve.exe and adds the value:

"avserve2.exe"="%Windir%\avserve.exe"

to the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

so that it runs when you start Windows.

Affected System

• Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows Server 2003

• Degrades the computer performance.

• Open a remote shell on TCP port 9996.

• Open a FTP server on TCP port 5554 .

Solution

1. For infected computer,

   If you keep getting the "Shutdown in 60 seconds" dialog, click Start / Run, and execute command 'shutdown -a' to get rid of the shutdown temporarily.

2. Common steps for all unpatched computer,

   Download and Install Microsoft Windows LSASS vulnerability patch

   Note: It is advised to use a Win98 / WinME PC or a patched PC to download the patch software and transfer it via floppy diskette or CD-R to the infected system. This is safer.

   Please choose ONLY ONE correct Windows platform and Language to download:

   Windows 2000 (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

   Windows 2000 (Traditional Chi):
   http://www.microsoft.com/downloads/details.aspx?displaylang=zh-tw&FamilyID=0692C27E-F63A-414C-B3EB-D2342FBB6C00

   Windows XP Home and Windows Professional Edition (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

   Windows XP Home and Windows Professional Edition (Traditional Chi):
   http://www.microsoft.com/downloads/details.aspx?displaylang=zh-tw&FamilyID=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3

   Windows Server 2003 (Eng):
   http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

   Windows Server 2003 (Traditional Chi):
   http://www.microsoft.com/downloads/details.aspx?displaylang=zh-tw&FamilyID=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3

   Other Windows platforms:
   http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

   When the download is completed, the Installation starts. You can click "Next" button until "Finish". The computer will reboot.

3. Scanning and Cleaning the worm

   1. After the system restarts, please prepare the Symantec worm cleaning program on the Desktop for later use.

      1. The worm cleaning program can be download at this URL:
         http://securityresponse.symantec.com/avcenter/FxSasser.exe

         Note: It is advised to use a Win98 / WinME PC or a patched PC to download the cleaning program and transfer it via floppy diskette or CD-R to the infected system. This is safer.

      2. When downloading, select "Save File", then "Save To "Desktop", then "Save". A program icon is shown on desktop.

   2. WinXP machines need to turn off "System Restore" according to the following steps, before running the antivirus program (skip for Win2000 and WinNT)

      1. Click Start > Programs > Accessories > Windows Explorer

      2. Right-click My Computer, and then click Properties.

      3. Click the System Restore tab.

      4. Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box

      5. Click Apply and then click Yes.

      6. Click OK.

   3. Running the worm cleaning program in Safe Mode guarantees that no file will be locked by system and can be removed without problem.

      1. Reboot the Computer.

      2. Press "F8" many times during machine reboot until the bootup selection menu is shown.

      3. Choose "Safe Mode".

      4. After entering Safe Mode, run "FxSasser.exe" which stored on the desktop

      5. Press "Start" to start scanning. Scanning runs until completion.

      6. Restart the computer to "Normal Mode".

4. Resume WinXP Configuration to normal (skip for Win2000 and WinNT)

   1. Click Start.

   2. Right-click My Computer, and then click Properties.

   3. Click the System Restore tab. Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.

   4. Click Apply, and then click OK.

   5. Restart the computer.

At this point, the infected computer should have been recovered. Since the patch has also closed the Windows LSASS security hole, the computer is immune to any new attacking worm variants.

However, the following optional recommendation can further improve your protection

---

Optional Recommeded Steps to Steps to handle W32.Sasser worm

Configure Firewall to filter network traffic

• If the company has installed firewall or firewall-capable broadband router, you can configure it to block the imcoming LSARPC traffic from the Internet to safeguard all PCs in the internal network. This is very effective in mitigating the risk. The services that need to be blocked include:

  TCP/UDP 139
  TCP/UDP 445

  Furthermore the following ports may used by the worm should be blocked as well:
  

  TCP 9996
  TCP 5554

  Note: Please vertify the existing service is not use before blocking this port

  If access cannot be blocked for all external hosts, we recommend limiting access to only those hosts that require it for normal operation. As a general rule, we recommend filtering all types of network traffic that are not required for normal operation.

• Home or personal computers can install firewall-capable broadband router (hardware) or personal firewall (software) to achieve the same purpose.
  For WinXP, you can turn on the built-in personal firewall software called the "Internet Connection Firewall". Detail steps can be found at the following URL:
  http://www.microsoft.com/WindowsXP/home/using/howto/homenet/icf.asp

Related Link(s)