OT: What You Should Know About the Sasser Worm and Its Variants

http://www.microsoft.com/security/incident/sasser.asp

What You Should Know About the Sasser Worm and Its Variants
Published: May 1, 2004 | Updated: May 3, 2004 - 6:30 P.M. Pacific Time

Software Affected
Windows XP, Windows XP Service Pack 1 (SP1)
Windows 2000 SP2, Windows 2000 SP3, Windows 2000 SP4

Software Not Affected
Windows XP 64-Bit Edition Version 2003
Windows ServerT 2003
Windows XP 64-Bit Edition SP1
Windows Millennium Edition
Windows 98 Second Edition
Windows 98
Windows NT® 4.0 SP6a

Microsoft teams have confirmed that the Sasser worm (W32.Sasser.A and its
variants) is currently circulating on the Internet. Microsoft has verified
that the worm exploits the Local Security Authority Subsystem Service
(LSASS) issue that was addressed by the security update released on April 13
in conjunction with Microsoft Security Bulletin MS04-011.

"warthog" <(E-Mail Removed)> wrote:

> Software Affected
> Windows XP, Windows XP Service Pack 1 (SP1)
> Windows 2000 SP2, Windows 2000 SP3, Windows 2000 SP4
>
> Software Not Affected
> Windows XP 64-Bit Edition Version 2003
> Windows ServerT 2003
> Windows XP 64-Bit Edition SP1
> Windows Millennium Edition
> Windows 98 Second Edition
> Windows 98
> Windows NT® 4.0 SP6a

For completeness, you could add to the Software Not Affected:

Everything that is not Microsoft Windows

--
Alec McKenzie
(E-Mail Removed)

"warthog" <(E-Mail Removed)> wrote in message
news:c77t34$kec$(E-Mail Removed)...
> http://www.microsoft.com/security/incident/sasser.asp
>
> What You Should Know About the Sasser Worm and Its Variants
> Published: May 1, 2004 | Updated: May 3, 2004 - 6:30 P.M. Pacific Time
>
> Software Affected
> Windows XP, Windows XP Service Pack 1 (SP1)
> Windows 2000 SP2, Windows 2000 SP3, Windows 2000 SP4
>
> Software Not Affected
> Windows XP 64-Bit Edition Version 2003
> Windows ServerT 2003
> Windows XP 64-Bit Edition SP1
> Windows Millennium Edition
> Windows 98 Second Edition
> Windows 98
> Windows NT® 4.0 SP6a
>
> Microsoft teams have confirmed that the Sasser worm (W32.Sasser.A and its
> variants) is currently circulating on the Internet. Microsoft has verified
> that the worm exploits the Local Security Authority Subsystem Service
> (LSASS) issue that was addressed by the security update released on April
13
> in conjunction with Microsoft Security Bulletin MS04-011.
>
>

New worm
W32/Sasser-A, Sasser, W32/Sasser.worm, Win32.Sasser.A, W32.Sasser.Worm

This worm exploits the Windows LSASS vulnerability, which is a buffer
overrun that allows remote code execution and enables an attacker to gain
full control of the affected system. This vulnerability is discussed in
detail in the following pages: To propagate, it scans the network for
vulnerable systems. When it finds a vulnerable system, this malware sends a
specially crafted packet to produce a buffer overflow on LSASS.EXE. Since
this malware produces a buffer overflow in LSASS.EXE, it causes the said
program to crash and will consequently require Windows to reboot.


This is the patch to protect windows xp(with sp1) from the above attack
http://www.microsoft.com/downloads/d...displaylang=en
For other versions of windows click here
http://www.microsoft.com/technet/sec.../ms04-011.mspx

Removal instructions can also be found here
http://www.trendmicro.com/vinfo/viru...=WORM_SASSER.A


It has also beem reporter that it removes a registory entry for the shutdown
button in the start menu
To get it back
Click Start, Run. In the Run box, type "regedit" (without the quotes) and
press Enter. Navigate your way to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\
Explorer

Look in the right-hand window for the entry:
"NoClose"=dword:00000001

If the entry exists, change the "dword:00000001" to "dword:00000000"
If it doesn't exist create a new one

Hope this helps

Gaz

In uk.telecom.broadband warthog <(E-Mail Removed)> wrote:
> http://www.microsoft.com/security/incident/sasser.asp

Is this the cause of odd ICMP packets that I'm seeing?

In article <c77t34$kec$(E-Mail Removed)>, (E-Mail Removed)
says...

> What You Should Know About the Sasser Worm and Its Variants
> Published: May 1, 2004 | Updated: May 3, 2004 - 6:30 P.M. Pacific Time
>
Microsoft released a patch 2 weeks ago.

Those being affected by it are the usual dumb fucktards unable to keep
their software up to date or even enable the free firewall included in
the OS.



--
Conor

If you're not on somebody's shit list, you're not doing anything
worthwhile.

"Conor" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...

> or even enable the free firewall included in
> the OS.
>


which happens to be neither use nor ornament

"Chris 159" <(E-Mail Removed)> wrote in message
news:c78q8p$32p$(E-Mail Removed)...
>
> "Conor" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ...
>
> > or even enable the free firewall included in
> > the OS.
> >
>
>
> which happens to be neither use nor ornament

I was under the impression that the inbuilt firewall was reasonably
effective at blocking unsolicited inbound traffic and would therefore offer
protection against this. Is this not the case?

"Mark Ford" <(E-Mail Removed)> wrote in message
news:MtSlc.37432$(E-Mail Removed)...
> "Chris 159" <(E-Mail Removed)> wrote in message
> news:c78q8p$32p$(E-Mail Removed)...
> >
> > "Conor" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) ...
> >
> > > or even enable the free firewall included in
> > > the OS.
> > >
> >
> >
> > which happens to be neither use nor ornament
>
> I was under the impression that the inbuilt firewall was reasonably
> effective at blocking unsolicited inbound traffic and would therefore
offer
> protection against this. Is this not the case?
>
>

i used to think this was the case until i read numerous reports that its
garbage. i then installed a third party fire wall which consequently picked
up on dozens and dozens of things that the xp fire wall was letting through

Mark Ford wrote:
> "Chris 159" <(E-Mail Removed)> wrote in message
> news:c78q8p$32p$(E-Mail Removed)...
>>
>> "Conor" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) ...
>>
>>> or even enable the free firewall included in
>>> the OS.
>>>
>>
>>
>> which happens to be neither use nor ornament
>
> I was under the impression that the inbuilt firewall was reasonably
> effective at blocking unsolicited inbound traffic and would therefore
> offer protection against this. Is this not the case?

It depends on what port the attack in question is coming in on.
If its one of the standard ports that windows uses legitimately then it
won't be blocked.
I've not checked in detail about this latest worm as only one of our users
caught it , but I'm pretty sure that the XP firewall would have stopped it.
All our updates are controlled via an SUS server , but the PC in question
was a home user who had been away for a couple of weeks and hadn't used the
machine since the patches were released so the updates hadn't yet installed.
Within 5 minutes of connecting to the net he had found himself infected.

As an aside , XP service pack two allows you to fully customise the firewall
and open and close ports as you see fit.

--
Alex

"We are now up against live, hostile targets"

"So, if Little Red Riding Hood should show up with a bazooka and a bad
attitude, I expect you to chin the bitch! "

www.drzoidberg.co.uk
www.upce.org.uk

On Tue, 04 May 2004 10:59:48 +0000, warthog wrote:

> http://www.microsoft.com/security/incident/sasser.asp
>
>
> Microsoft teams have confirmed that the Sasser worm (W32.Sasser.A and its
> variants) is currently circulating on the Internet. Microsoft has verified
> that the worm exploits the Local Security Authority Subsystem Service
> (LSASS) issue that was addressed by the security update released on April 13
> in conjunction with Microsoft Security Bulletin MS04-011.

And when ypu install the patch, don't forget to fix what it breaks

http://support.microsoft.com/default...b;EN-US;841382

Don't you just love them.

Oh and of course, don't forget to reboot.