Results 1 to 2 of 2

Thread: The Next Blaster Worm

  1. #1
    muchspl2
    Guest
    http://vil.nai.com/vil/content/v_125007.htm
    Virus Name  Risk Assessment 
    W32/Sasser.worm  Corporate User  :  Medium 
    Home User  :  Medium 



    Virus Information 
    Discovery Date:  04/30/2004 
    Origin:  Unknown 
    Length:  15,872 bytes 
    Type:  Virus 
    SubType:  Internet Worm 
    Minimum DAT: 4355 (05/01/2004) 
    Updated DAT: 4355 (05/01/2004) 
    Minimum Engine:  4.2.40 
    Description Added:  04/30/2004 
    Description Modified:  05/02/2004 11:45 AM (PT) 
    Description Menu 
    Virus Characteristics 
    Symptoms 
    Method Of Infection 
    Removal Instructions 
    Variants / Aliases 
    Rate This page 
        Print This Page 
    Email This Page 
    Legend 



    Virus Characteristics: 
    -- Update May 1st, 2004 --
    The assessment of this threat has been upgraded to Medium due to an increase in prevalence

    If you think that you may be infected with this threat, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. 

    Note: Infected systems should install the Microsoft update to be protected from the exploit used by this worm. See:
    http://www.microsoft.com/technet/security/...n/MS04-011.mspx



    This self-executing worm spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)]

    The worm spreads with the file name: avserve.exe .  Unlike many recent worms, this virus does not spread via email.  No user intervention is required to become infected or propagate the virus further.  The worm works by instructing vulnerable systems to download and execute the viral code.

    Top of Page

    Symptoms 
    The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
    As the worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

    A file named win.log is created on the root of the C: drive.  This file contains the IP address of the localhost.

    Copies of the worm are created in the Windows System directory as #_up.exe.

    Examples

    c:\WINDOWS\system32\11583_up.exe
    c:\WINDOWS\system32\16913_up.exe
    c:\WINDOWS\system32\29739_up.exe
    A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.  The following Window may be displayed:




  2. Software & Hardware   -   #2
    UcanRock2's Avatar Phantom Gander
    Join Date
    Sep 2003
    Location
    "Out West"
    Age
    61
    Posts
    871
    Isn't it nice... brain deads are at it again!!!

    Computer illiterate people who can't make a computer work as it is...then we get people who have to screw it up for them, plus us as well.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •