Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sasser Worm Disruption Growing

Posted by CmdrTaco on from the thanks-again-microsoft dept.

thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."

23 of 999 comments (clear)

  1. Internet Explorer? by Anonymous Coward · · Score: 5, Informative

    Sasser doesn't affect IE.

  2. Removal tool by Mindtoy · · Score: 5, Informative

    Another removal tool made by Network ASSociates can be found at: http://vil.nai.com/vil/stinger/ I've used it on a number of a machines with no problem. It only scans files (no registry). It fits on a floppy and it's free. It'll even run on machines that already have virus protection, good if someone hasn't updated their definitions and can't get on the internet. It's updated anytime a new baddy comes out, but you have to redownload the EXE file since it doesn't check for updates.

  3. Don't blame Internet Explorer this time by joeykiller · · Score: 5, Informative

    The original poster is not correct when claiming Internet Explorer has a problem. This time it's a hole in the so called "Local Security Authority Subsystem Service" that's causing problems.

    See this and this for more details.

  4. Not exactly a 0-day exploit by Zog+The+Undeniable · · Score: 4, Informative
    If you applied last month's critical patches OR you have a working firewall - even the basic XP one - you won't get it.

    Everyone with a Windows machine should sign up for MS's monthly security e-mail or religiously check Windows Update on the second Tuesday of each month. I won't go as far as recommending automatic updates, though.

    --
    When I am king, you will be first against the wall.
    1. Re:Not exactly a 0-day exploit by Proaxiom · · Score: 4, Informative
      An unfortunate factor of this worm is that the patch that fixes the exploited vulnerability - MS04-011, has been found to have stability problems and other issues in the field.

      This has caused many administrators to be hesitant to install it. Bugtraq had a discussion of the problems in April.

  5. Re:I have a question by manavendra · · Score: 5, Informative

    You mean other than scanning random IP addresses on successive TCP ports starting at 1068 and making copies of itself?

    Well, it also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

    It further makes copies of itself in the %Windows% directory.

    Oh and finally, it causes LSASS.EXE to crash, and by default this causes your system to reboot. Repeatedly.

    --
    http://efil.blogspot.com/
  6. Re:Direct? by orbit0r · · Score: 5, Informative

    What could be more "directly from the Internet" than email?

    An exploit connecting directly to port 445 of a host and not requiring any user-intervention to become infected.

  7. Re:Could Sasser possibly affect Linux? by Aliencow · · Score: 5, Informative

    You would have to run the LSASS Service under Wine...and I don't know why you would want to do that !

  8. firewall to the rescue by steve.m · · Score: 4, Informative

    It looks like it exploits LSASS.EXE by scanning for a listening port 445. Good job I've got all incoming blocked by default.

    Roll on XP SP2 with the firewall on by default for everyone, then hopefully things like this will go away....

  9. Re:Direct? by gunnk · · Score: 5, Informative

    Email gets picked up by your email client. An email virus must then be run from the message either by opening the attachment or (for some Outlook versions) by having Outlook open it for you. Even just receiving a copy of an email virus requires that you run your email client.

    In the case of the Sasser worm, it is using an open port to crawl directly into your computer when you connect to the internet. There is no action required on the part of the user and no infected file to load. Windows simple accepts the connection and installs the worm.

    That's why worms are "more directly from the internet" than email-based viruses.

    --
    Life is short: void the warranty.
  10. Re:I have a question by nordicfrost · · Score: 4, Informative

    Well, for one, it bogs down your network to a mush of syrup. All that looking for other hosts to infect really takes up a lot of capacity on the network. And the Sasser.D version is up to 1024 threads pr. CPU, up from 128 in the Sasser.B version...

  11. Re:Windows only by Hrothgar+The+Great · · Score: 5, Informative

    People have short memories. There was an Apache worm about two years ago (in mod_ssl).

    Here is a link

    Of course, worms like that are few and far between, especially when compared to the number of Windows worms going about lately, but to claim a system is "worm free by nature"? I think that's more than a little premature.

  12. Problems are with windows, not IE by T.Hobbes · · Score: 5, Informative
    A few things:
    • It's a worm, not a virus
    • It's attacks Windows, not IE (despite Microsoft's efforts, there is still a distinction)
    • For the user, the main damage is that the infected computer will shut down; I have no reference, but shutdown loops have been reported
    • For the admin, the main damage is the flood of trafic sent out by the worm in search of new hosts
    • The worm can use Win98/WinME boxes to propegate but cannot infect those same computers

    Google cache of McAfee's page on the worm
    One of symantec's pages

  13. BEWARE NT4 TS + Citrix admins!! by SlashDread · · Score: 4, Informative

    The patch from MS : http://www.microsoft.com/technet/security/bulletin /MS04-011.mspx

    just BSOD'ed my Citrix server.

    YMMV

    "/Dread"

    1. Re:BEWARE NT4 TS + Citrix admins!! by Rick.C · · Score: 4, Informative
      There's a Terminal-Server-specific security rollup patch (SRP) that must be applied first. Check the MS MS04-011 page.

      I would hope that MS04-011 would check for the presence of the SRP, but who knows?

      --
      You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
      "Math in a song is good."-Linford
  14. Re:Microsoft's "fixes" by getling · · Score: 5, Informative

    Umm...why did you install MS04-014 instead of MS04-011? Maybe you got confused, like /. about what in the world this "poorly written" worm is attacking....

    --
    "Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
  15. Re:I have a question by interiot · · Score: 4, Informative

    Just a note regarding 0-day exploits: SysInternals (the people who brought you filemon, regmon, etc) write BGInfo, a low-CPU no-memory way of displaying important system properties. If you do have it installed, you can tell it to display the timestamp of the file C:\Program Files\WindowsUpdate\V4\iuhist.xml, which should be the last time WindowsUpdate was run, helping remind you to run it frequently.

  16. Re:What ARE Win98SE users supposed to do? by gregarican · · Score: 4, Informative

    Just like the ASN.1 vulnerability that is patched through one of the recent Microsoft patches. Supposedly Win98/ME PC's aren't affected by the issue. But looking at my company's Win98 PC's I saw the msasn1.dll file present. And researching things a little bit I saw that the standard implementation of the ASN.1 command parser is affected on any and all platforms. From a Nortel H.323 gateway to a Cisco router to a Windows 2003 Server to a Windows 98 PC.

    This was months ago that I read this. I called into the Microsoft PCSAFETY toll free number and a tech indeed acknowledged that Windows 98 and ME PC's were vulnerable. And they e-mailed me a link to download the patch (not one of the hoax e-mails either, so no jokes!!). Since then I deployed it to all of my Windows 98 PC's and know that they are at the same standard as the Windows 2000 and XP machines.

    What kind of company releases patches and leaves out some client versions that are still safe from the EOL cycle? That's what Microsoft did with the ASN.1 patch.

    And what kind of company releases patches that obviously weren't tested on clients that were running USB storage, DLT storage, and IPSec agents? Look at the KB835732 patch. It broke all of these driver loads, leaving patched PC's running at 99% CPU utilitization after rebooting.

    Nice, really nice. Risk stability and compatibility issues versus being exposed to an Internet-borne worm. I'm not blaming Microsoft for having vulnerabilities. All OS'es do to one degree or another. But I am blaming them for leaving our client versions and not thoroughly testing code they should've been working on for 5 months.

  17. Re:Sassier *is* a virus by American+AC+in+Paris · · Score: 5, Informative
    It seems that we've been living in the land of email worms for so long that most people don't know how to deal with a real virus. Yeah, that's what they do... they spread without your help. Geez!

    No, that's inaccurate.

    Worms can spread to other machines on their own. Viruses require some external intervention (such as file sharing or e-mail) to spread to other machines. See this entry in the Jargon File for a more verbose answer.

    Now, many of the latest e-mail "worms" would be better classified as viruses or trojan horses, as they are incapable of infecting other hosts without direct user intervention (i.e., opening an attachment.) They've been (IMHO) mis-labeled as worms because they display worm-like behavior once they've infected a machine--that is, they mail copies of themselves as trojan-style attachments to other users.

    So yes, the Sasser worm is a bona-fide worm. It transmits itself to other systems without any external help.

    --

    Obliteracy: Words with explosions

  18. Auto updates and quick patches by truthsearch · · Score: 5, Informative

    Autoupdates and immediate patching aren't options for large corporate networks. Patches often break existing applications. Even after extensive testing some patches have caused more problems than they fixed. Windows Update sends enough information back to Microsoft for them to determine what's installed on our private network, so we block it from running.

    It takes weeks to test a patch and push it out. Servers often can't be rebooted until weekends. Then there are users with special situations that require manual installs. It takes time to do hundreds of installs manually. It also takes time to get the patch onto the standard corporate "build" of Windows, so for a while new computers need the patch pushed out after logging into the network the first time, leaving a gaping hole for this virus to spread.

    --
    Developers: We can use your help.
  19. Re:Windows only by Tin+Foil+Hat · · Score: 4, Informative

    PS: Tried fooling the script at windows update site by changing browser identification, but this only prevented the thank you message, didn't allowed to download the patch

    That's because windows update installs via an ActiveX object. Only IE can run that. You probably downloaded the ActiveX object, but since it can't run without IE, it didn't download the update. If you need to download the update separately, check out the adminstrator section of windows update. MS provides all updates as a separate download that you can burn to a disk and install that way.

    --
    No matter how many of my rights are taken away, somehow I still don't feel safe. -Frigid Monkey
  20. Re:Yeah..you're telling me... by Smidge204 · · Score: 4, Informative

    No, but if the cops can't run a plate or license number check during a routine traffic stop, you won't know if there's a warrent out on the guy for a series of violent crimes.

    Just an example. The ability for the police to do thier job in any capacity relies on the ability to get and share information. It's pretty rare that the cop actually witnesses the mugging, but a witness description, cross referenced with other reports from the head office, might lead to the ID of a suspect.
    =Smidge=

  21. Two huge gaping problems by Aslan72 · · Score: 5, Informative
    Sasser.d attacked our University last night and we noticed two particular things.

    1) Several groups were relying on SUS in order to get those patched distributed. If you go into SUS, the patches were 'approved' on one screen, not on the other. I wasn't alone in seeing this. Suffice to say, I was also a bit shocked when it started to blow through and none of my machines were protected.

    2) When it installs (sasser.d) it writes itself to 'System Volume Information' - allowing it to not get caught by NAI's on demand scanner, and re-infect the box if you don't do a C drive scan manually.

    --pete