Sasser Worm - Highly Infectious

**Rat Faced** · 05-05-2004, 11:55 PM

Originally posted by lynx@5 May 2004 - 09:58
Microsoft aanounced the problem and released the fix on April 13.

They then re-issued the warning on April 28, and the Sasser worm was released into the wild on April 29. Anyone else think this sounds suspicious?

The worm exploits a hole in Local Security Authority Subsystem Service. Why does this service have ANY access to the internet?

Quite frankly, the whole thing stinks.

Im sure that microsoft would never dream of releasing a worm that will affect every windows operating system exceptthose updated, which means knocking most illegal copies of Windows XP offline.....

...... Im sure it was pure co-incidence that they got the fix out just before the worm was released, and told everyone to update.

:helpsmile:

**namzuf9** · 05-06-2004, 12:49 AM

Opps I got this one and twigged onto it within an hour.
My bro works for a software delvopment team and it took there "specilists" 2 days to come up with a solution when my brother told them the remedy the same day.
Freaking M$ and their damn vunerable closed source software. Bloody RPC and DCOM. Damn patches realsed to damn late. Damn script kiddies lets see a real chllenge that makes new virus definitions and patches worhless. Give us a good polymorph to play with.

**clocker** · 05-06-2004, 01:41 AM

Im sure that microsoft would never dream of releasing a worm that will affect every windows operating system exceptthose updated, which means knocking most illegal copies of Windows XP offline.....

Huh?
That never seemed to stop me from updating ( not that I would do that anymore, of course and I am clearly uberl33t...whatever the hell that means).

...... Im sure it was pure co-incidence that they got the fix out just before the worm was released, and told everyone to update

Go ahead, admit it...the worm was released by a man on the grassy knoll, right?

**SeK612** · 05-06-2004, 08:52 AM

I updated my system a few days ago after seeing a post on this forum about new patches release by MS. I haven't come into contact with the virus but have heard its affected a few companies around the world.

**delphin460** · 05-06-2004, 09:09 AM

Originally posted by namzuf9@6 May 2004 - 00:57
Opps I got this one and twigged onto it within an hour.
My bro works for a software delvopment team and it took there "specilists" 2 days to come up with a solution when my brother told them the remedy the same day.
Freaking M$ and their damn vunerable closed source software. Bloody RPC and DCOM. Damn patches realsed to damn late. Damn script kiddies lets see a real chllenge that makes new virus definitions and patches worhless. Give us a good polymorph to play with.

This is the best thing i have found to get rid of the m$ stuff

gibson research , is m$ anti devil

3 nice tools to stop dcom , upnp and windows messenger

http://www.grc.com/default.htm

**lynx** · 05-06-2004, 12:05 PM

Originally posted by 4play@5 May 2004 - 14:03
@ lynx lsass is used by internet explorer, thats why it can be remotely exploited.

Not so.

If you've got an unpatched lsass.exe (and no firewall) you can get infected without running internet explorer. That happened to my friend, he went online to get his mail (he uses Eudora before anyone comments on links with Outlook Express).

IE may use lsass, but I can see NO need for lsass to have internet access. Client for Microsoft Networks doesn't usually get internet access because it isn't needed and would be dangerous; the same should be true for lsass.

Lsass is part of windows directory services and as such uses port 445. It generates the process which performs user validation for the Winlogon service - do you really think that's a good service to have available from the internet?

Edit:

Microsoft aanounced the problem and released the fix on April 13.

They then re-issued the warning on April 28, and the Sasser worm was released into the wild on April 29. Anyone else think this sounds suspicious?

I was not suggesting that Microsoft released the Sasser worm, merely that they knew of it's existence before it was loose. If that's the case they could have given much more advance warning about the worm.

**Rat Faced** · 05-06-2004, 04:42 PM

Originally posted by clocker@6 May 2004 - 01:49

Im sure that microsoft would never dream of releasing a worm that will affect every windows operating system exceptthose updated, which means knocking most illegal copies of Windows XP offline.....

Huh?
That never seemed to stop me from updating ( not that I would do that anymore, of course and I am clearly uberl33t...whatever the hell that means).

...... Im sure it was pure co-incidence that they got the fix out just before the worm was released, and told everyone to update

Go ahead, admit it...the worm was released by a man on the grassy knoll, right?

If your serial number was from a "list", then your very lucky if you can use update, if from a keygen then their shouldnt be any problems...which is why i said "most"

Now that you mention it, you often get worms in Grassy Knolls..

**tracydani** · 05-06-2004, 08:06 PM

I had this the other day. I noticed my folding project hadn't moved all day and checked the task manager. I found between 6 and 10 instances of it running at one time(kept fluctuating) which was strange because it seems I read only 1 could run at a time.

It did not shutdown or restart my computer either even though I keep reading that this is what it does. I searched for the process and came up with this and was quite impressed that I had caught something that was reported 2 days before

Usually I don't get these until they have been out a while.

I also get something yesterday called rasoutou(sp?) and came up with conflicting reports as to if it was a virus or not. Some sites say it is a valid windows process(some kind of dialer) and others say it is a virus. I have never seen it before and it was using 90% of my processor. Strange thing is, is that I am completely up to date with everything and this was an old (6 months or more) problem.

Also strange that I got the sasser because windows update keeps saying I don't need anything

TD

**Rat Faced** · 05-06-2004, 08:16 PM

Well, it is Microsoft.

I wouldnt be surprised if their "fix" to stop the new sassor worm, actually invites the old one onto your system

**BigBank_Hank** · 05-07-2004, 03:09 AM

Today I keep getting attempts to infect my computer with this virus. I caught it 3 times in about an hour and again later on during the day. I'm running Norton Internet Security so luckily it stops it before it gets to me. My question is I have the jerks ISP,IP,City,State,and Postal Zip code but what can I do with this information? I'm not into all the hacking stuff so I wouldn't know what to do with the IP and stuff like that. Any suggestions?

Thread: Sasser Worm - Highly Infectious

Thread Tools

Bookmarks

Bookmarks

Posting Permissions