Sasser Internet worm on the loose
Saturday May 1, 2004
As predicted, the Sasser Internet worm was discovered spreading early on the morning of
May 01. Sasser is the first in-the-wild exploit of the MS04-011
vulnerability (CAN-2003-0907)]
For patch details, see:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm impacts the following OS:
- Windows XP
- Windows 2000
- Windows 2000 Advanced Server SP4
Antecdotal evidence suggest Win9x is also impacted. If the vulnerable OS are patched or behind a suitably-configured firewall, they will not be impacted.
Sasser creates 128 separate threads to scan IP ranges in search of vulnerable systems and, when one is find, creates a buffer overflow condition, after which it drops an FTP script (cmd.ftp) to the impacted system and executes it. The script then downloads and executes the worm from the infected host.
Possible impact:
Sluggish system, reduced availability of bandwidth. LSASS.EXE may crash, causing a reboot of the infected system.
Symptoms of infection:
WIN.LOG created on the root of C:\ (contains IP of localhost)
Presences of avserve.exe (the worm)
MD5 of avserve.exe: 0xA73C16CCD0B9C4F20BC7842EDD90FC20
Vendor descriptions: Symantec | McAfee | Trend Micro
For patch details, see:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm impacts the following OS:
- Windows XP
- Windows 2000
- Windows 2000 Advanced Server SP4
Antecdotal evidence suggest Win9x is also impacted. If the vulnerable OS are patched or behind a suitably-configured firewall, they will not be impacted.
Sasser creates 128 separate threads to scan IP ranges in search of vulnerable systems and, when one is find, creates a buffer overflow condition, after which it drops an FTP script (cmd.ftp) to the impacted system and executes it. The script then downloads and executes the worm from the infected host.
Possible impact:
Sluggish system, reduced availability of bandwidth. LSASS.EXE may crash, causing a reboot of the infected system.
Symptoms of infection:
WIN.LOG created on the root of C:\ (contains IP of localhost)
Presences of avserve.exe (the worm)
MD5 of avserve.exe: 0xA73C16CCD0B9C4F20BC7842EDD90FC20
Vendor descriptions: Symantec | McAfee | Trend Micro
~ by Mary Landesman
No comments yet. Leave a Comment