CERT-In Incident Note CIIN-2004-06

W32.Sasser worm

Original Issue Date: May 03, 2004
Updated on: August 04, 2004

Type : Worm

Severity: High

Systems Affected:

Windows 2000, Windows XP

Overview

A worm called W32.Sasser and its variants are spreading widely. This worm attempts to exploit the recently published Microsoft LSASS vulnerability described in CERT-In Advisory CIAD-2004-10 . Presently known variants are Sasser.A, Sasser.B/C, Sasser.D

Impact

The worm sets up following backdoors on infected computers :

• a remote shell on port 9996/tcp
• a FTP server on port 5554/tcp

The backdoors may be further exploited by an attacker to gain unauthorized access to infected computers.

Attacked systems may also become unstable because of a buffer overflow attack against LSASS.EXE.

Description

This worm takes the advantage of buffer overrun vulnerability in LSASS. Unlike many recent worms, this virus does not spread via email. The worm works by randomly scanning LSASS vulnerable machines and then it instructs vulnerable systems to download and execute the viral code. No user intervention is required for getting infected or propagate the virus further.

When executed, the worm does the following

• Creates one of the following files in the WINDOWS or WINNT directory
  • Sasser.a : avserver.exe
  • Sasser.b : avserver2.exe
  • Sasser.d : skynetave.exe
    
• Some of the variants create txt file and one or more mutex in the system.
• Adds the following registry key:
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run avserve.exe -> C:\%WINDIR%\avserve.exe (Sasser.a)
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run avserve.exe2 = %WINDOWS%\avserve2.exe (Sasser.b)
  
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run avserve.exe = %WINDOWS%\skynetave.exe (Sasser.d)
• Some of the variants may starts an FTP server on TCP port 5554 to further distribute the executable.
• The variants may scans for other vulnerable machine.
• The variants may calls API method AbortSystemShutdown to prevent the system from rebooting

Solution

Windows XP and 2000 systems should be patched against LSASS vulnerability. Microsoft has published patches for this vulnerability and removal steps for this worm. Antivirus vendors have released different removal tools for this worm.

Microsoft :
http://www.microsoft.com/security/incident/sasser.asp

Symantec :
http://securityresponse.symantec.com/avcenter/
venc/data/w32.sasser.removal.tool.html

Nai :
http://vil.nai.com/vil/stinger/

F-Secure :
http://www.f-secure.com/v-descs/sasser.shtml

eeye :
http://www.eeye.com/html/Research/Tools/Download.asp?
file=RetinaSasser

References

Nai :
http://vil.nai.com/vil/content/v_125008.htm

Symantec :
http://securityresponse.symantec.com/avcenter/
venc/data/w32.sasser.b.worm.html

F-Secure :
http://www.f-secure.com/v-descs/sasser.shtml

http://www.lurhq.com/sasser.html

http://www.norman.com/Virus/Virus_descriptions/
14919/en-us?show=default

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003