| Virus type: |
Worm |
| Destructive: |
No |
| Aliases: |
W32/Sasser.worm.b, W32.Sasser.B.Wrm, W32/Sasser.B |
| Pattern file needed: |
883 (1.883.00)OPR |
| Scan engine needed: |
6.500 |
| Overall Risk Ranking: |
Very High |
| Reported Infections: |
High |
| Damage Potential: |
High |
| Distribution Potential: |
High |
|
| |
| As of May 2, 2004 10:07 PM (PST), TrendLabs has declared
a Red alert to control the spread of this malware. Several infection reports have been received
indicating that this worm is spreading across the globe.
This worm exploits the Windows LSASS vulnerability, which is a buffer
overrun that allows remote code execution and enables an attacker to gain full control of
affected systems. This vulnerability is discussed in detail in the following page -
Microsoft Security Bulletin MS04-011
To propagate, this worm sends a specially-crafted packet to TCP port 445 of random IP addresses.
However it skips certain RFC 1918-reserved addresses. The packet causes a buffer overrun on
vulnerable systems, which results in the execution of a remote shell that opens port 9996. This
worm commands the remote shell to download its copy from the original infected source via port
5554 using FTP.
This worm can cause LSASS to crash and force Windows to restart.
Important: Trend Micro advises users to apply the critical
patch related to the Windows LSASS vulnerability, which is available at the following Microsoft
page -
microsoft.com/technet/security/bulletin/ms04-011.mspx
|
|
|
Network VirusWall protects customers against this threat by:
- Isolating machines that have not yet applied the MS04-011 security update through
Vulnerability Assessment Rule 101.
- Blocking TCP ports2 9996, 5554 and the malwarefile AVSERVE2.EXE through Outbreak
Prevention Policy 111.
- Detecting this worm at the network layer. CFW/NVW pattern 10125 enables the
Network VirusWall to detect virus at network layer. All infected packets will be
dropped by the appliance.
- Removing the malware registry entry through the Damage Cleanup Template 332.
Network VirusWall will accelerate cleanup process by automatically pinpointing sources
of infection and instructing Trend Micro Control Manager to initiate a cleanup.
1) Trend Micro's Vulnerability Assessment pattern #10 detects and reports all
machines
that have not yet applied patch MS04-011.
2) Users and administrators are strongly advised to block TCP ports 5554 and 9996 to prevent the transfer of the SASSER
worm from infected systems to unpatched machines.
|
|
To automatically remove this malware from your system, please
use the Trend Micro Damage Cleanup Services. Download the tool from the following link -
trendmicro.com/download/dcs.asp |
Note: The following two procedures apply to Windows NT, 2000,
and XP systems. For systems running Windows 95, 98, and ME, please proceed to the section
Restarting in Safe Mode.
Identifying the Malware Program (For Windows NT, 2000, and XP only)
To remove this malware, first identify the malware program.
1) Scan your system with your Trend Micro antivirus product.
2) NOTE all files detected as WORM_SASSER.B.
Trend Micro customers need to download the
latest pattern file
before scanning their system. Other Internet users may use Housecall, Trend Micro’s
free online virus scanner. |
This procedure terminates the running malware process from
memory. You will need the name(s) of the file(s) detected earlier.
1) Open Windows Task Manager, press CTRL+SHIFT+ESC, then click the Processes tab.
2) In the list of running programs*, locate the malware file(s) detected earlier.
3) Select one of the detected files, then press the End Process button.
4) Do the same for all detected malware files in the list of running processes.
5) To check if the malware process has been terminated, close Task Manager, and then open it again.
6) Close Task Manager. |
On Windows 95
1) Restart your computer.
2) Press F8 at the "Starting Windows 95" message.
3) Choose Safe Mode from the Windows 95 Startup Menu then press Enter. |
On Windows 98/ME
1) Restart your computer.
2) Press the CTRL key until the Windows 98 startup menu appears.
3) Choose the Safe Mode option then press Enter. |
Removing autostart entries from the registry prevents the
malware from executing during startup.
1) Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2) In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
3) In the right panel, locate and delete the entry or entries:
avserve2.exe = %Windows%\avserve2.exe
(Note: %Windows% refers to the Windows folder, which is usually C:\Windows or C:\WINNT.)
4) Close Registry Editor.
NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system. |
| Users and administrators are strongly advised to block TCP
ports 5554 and 9996 to prevent the transfer of the SASSER worm from infected systems to unpatched
machines. |
| Scan your system with Trend Micro antivirus and delete all
files detected as WORM_SASSER.B. To do this, Trend Micro customers must download the
latest pattern file
and scan their system. Other Internet users can use HouseCall, Trend Micro’s
free online virus scanner. |
| Download the latest patches. Information on the vulnerability
exploited by this malware and corresponding patch can be found at the following link -
Microsoft Security Bulletin MS04-011
For product-specific solutions, please refer to
Solution 19751 of the Trend Micro Knowledge Base.
Trend Micro offers best-of-breed antivirus and content-security solutions for your
corporate network, small and medium business or home PC.
For additional information about this threat,
see Technical Details. |
| |
