OT: What You Should Know About the Sasser Worm and Its Variants

Discussion in 'Broadband' started by warthog, May 4, 2004.

  1. warthog

    warthog Guest

    http://www.microsoft.com/security/incident/sasser.asp

    What You Should Know About the Sasser Worm and Its Variants
    Published: May 1, 2004 | Updated: May 3, 2004 - 6:30 P.M. Pacific Time

    Software Affected
    Windows XP, Windows XP Service Pack 1 (SP1)
    Windows 2000 SP2, Windows 2000 SP3, Windows 2000 SP4

    Software Not Affected
    Windows XP 64-Bit Edition Version 2003
    Windows ServerT 2003
    Windows XP 64-Bit Edition SP1
    Windows Millennium Edition
    Windows 98 Second Edition
    Windows 98
    Windows NT® 4.0 SP6a

    Microsoft teams have confirmed that the Sasser worm (W32.Sasser.A and its
    variants) is currently circulating on the Internet. Microsoft has verified
    that the worm exploits the Local Security Authority Subsystem Service
    (LSASS) issue that was addressed by the security update released on April 13
    in conjunction with Microsoft Security Bulletin MS04-011.
     
    warthog, May 4, 2004
    #1
    1. Advertisements

  2. For completeness, you could add to the Software Not Affected:

    Everything that is not Microsoft Windows
     
    Alec McKenzie, May 4, 2004
    #2
    1. Advertisements

  3. New worm
    W32/Sasser-A, Sasser, W32/Sasser.worm, Win32.Sasser.A, W32.Sasser.Worm

    This worm exploits the Windows LSASS vulnerability, which is a buffer
    overrun that allows remote code execution and enables an attacker to gain
    full control of the affected system. This vulnerability is discussed in
    detail in the following pages: To propagate, it scans the network for
    vulnerable systems. When it finds a vulnerable system, this malware sends a
    specially crafted packet to produce a buffer overflow on LSASS.EXE. Since
    this malware produces a buffer overflow in LSASS.EXE, it causes the said
    program to crash and will consequently require Windows to reboot.


    This is the patch to protect windows xp(with sp1) from the above attack
    http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en
    For other versions of windows click here
    http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

    Removal instructions can also be found here
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A


    It has also beem reporter that it removes a registory entry for the shutdown
    button in the start menu
    To get it back
    Click Start, Run. In the Run box, type "regedit" (without the quotes) and
    press Enter. Navigate your way to:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    Explorer

    Look in the right-hand window for the entry:
    "NoClose"=dword:00000001

    If the entry exists, change the "dword:00000001" to "dword:00000000"
    If it doesn't exist create a new one

    Hope this helps

    Gaz
     
    Gareth not NLL or anybody else., May 4, 2004
    #3
  4. warthog

    Ian Stirling Guest

    Ian Stirling, May 4, 2004
    #4
  5. warthog

    Conor Guest

    Microsoft released a patch 2 weeks ago.

    Those being affected by it are the usual dumb fucktards unable to keep
    their software up to date or even enable the free firewall included in
    the OS.
     
    Conor, May 4, 2004
    #5
  6. warthog

    Chris 159 Guest


    which happens to be neither use nor ornament
     
    Chris 159, May 4, 2004
    #6
  7. warthog

    Mark Ford Guest

    I was under the impression that the inbuilt firewall was reasonably
    effective at blocking unsolicited inbound traffic and would therefore offer
    protection against this. Is this not the case?
     
    Mark Ford, May 4, 2004
    #7
  8. warthog

    Chris 159 Guest

    i used to think this was the case until i read numerous reports that its
    garbage. i then installed a third party fire wall which consequently picked
    up on dozens and dozens of things that the xp fire wall was letting through
     
    Chris 159, May 4, 2004
    #8
  9. warthog

    Dr Zoidberg Guest

    It depends on what port the attack in question is coming in on.
    If its one of the standard ports that windows uses legitimately then it
    won't be blocked.
    I've not checked in detail about this latest worm as only one of our users
    caught it , but I'm pretty sure that the XP firewall would have stopped it.
    All our updates are controlled via an SUS server , but the PC in question
    was a home user who had been away for a couple of weeks and hadn't used the
    machine since the patches were released so the updates hadn't yet installed.
    Within 5 minutes of connecting to the net he had found himself infected.

    As an aside , XP service pack two allows you to fully customise the firewall
    and open and close ports as you see fit.

    --
    Alex

    "We are now up against live, hostile targets"

    "So, if Little Red Riding Hood should show up with a bazooka and a bad
    attitude, I expect you to chin the bitch! "

    www.drzoidberg.co.uk
    www.upce.org.uk
     
    Dr Zoidberg, May 4, 2004
    #9
  10. warthog

    Steve Guest

    And when ypu install the patch, don't forget to fix what it breaks

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;841382

    Don't you just love them.

    Oh and of course, don't forget to reboot.
     
    Steve, May 4, 2004
    #10
  11. warthog

    Neil Barker Guest

    Nothing in this thread has anything to do with buying and selling
    computer related hardware and software and is thus off-topic for
    uk.adverts.computer - please watch where you cross-post it to.
     
    Neil Barker, May 4, 2004
    #11
  12. Er, actually the pre-service pack (CD) releases of 2k and XP aren't
    affected by this worm. It's presumably just *another* service
    pack/patch bug that's only just showed up. Microsoft's 'improvements'
    never cease to amaze me.
     
    Paul Burridge, May 4, 2004
    #12
  13. warthog

    Steve Guest

    Why don't you tell that to the OP?

    Also, it was marked OT, you don't sell MS products per chance?
     
    Steve, May 5, 2004
    #13
  14. warthog

    Neil Barker Guest

    Why ? I let it go for a while to see if it would just die out.

    Just because it is marked "OT" does not make it right.
    Uk.adverts.computer is still the wrong place for this to be posted.
     
    Neil Barker, May 5, 2004
    #14
  15. warthog

    simon Guest

    Get a grip man.

    OT posts only seem to bother a few for some reason. If it says OT just
    ignore it, unless you have so much time on your hands that you cant.
     
    simon, May 5, 2004
    #15
  16. warthog

    DME Guest

    I think you'll find it bothers more than just a few.

    Normally people who refuse to follow house rules are asked to leave the
    house.....Maybe you could find somewhere more suitable for your discussion
    amongst the many thousands of choices.

    I think we should moderate u.a.c. If there's the support then I'll sort it
    out.

    FU's Set.

    Regards.
     
    DME, May 5, 2004
    #16
  17. warthog

    JULIAN HALES Guest

    around his neck springs to mind
     
    JULIAN HALES, May 5, 2004
    #17
  18. Will you fuckwits stop crossposting your offtopic discussion of
    offtopicness to uk.telecom.broadband, where it is DEFINITELY offtopic.

    FWIW I agree, sticking the OT tag doesn't absolve the OP from
    responsibility, If you take that approach, then usenet descends into
    utter gibberish inside a week.
     
    Mark McIntyre, May 5, 2004
    #18
  19. I frequently get emails purporting to come from MS enclosing updates but
    which contain viruses. How can I be sure that the URLs posted in this
    thread are genuine? I don't want to click on one and get some malware.
     
    Peter Pratten, May 6, 2004
    #19
  20. warthog

    Duncan Hill Guest

    Type in the URL by hand? If it's in the .microsoft.com domain, it'll be a
    little hard to pick up malware.
     
    Duncan Hill, May 6, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.