最新消息

W32.Sasser worm and variants is a worm that attempts to exploit the Microsoft Windows LSASS vulnerability MS04-011.

W32.Sasser worm variants discovered by antivirus vendor:

• W32.Sasser.A worm
• W32.Sasser.B worm
• W32.Sasser.C worm (Updated on 4May 2003)
• W32.Sasser.D worm (Updated on 4May 2003)

The worms spreads by scanning randomly-chosen IP addresses and attempts to connect to the vulnerable computer on TCP port 445. If it connects successfully, it sends a specially crafted packet to expliot this vulnerability.

Once the computer is attacked by the worm, the following message boxes may appear:

The worm uses this to open a remote shell, listening on TCP port 9996 (W32.Sasser.A - C worm) or 9995 (W32.Sasser.D worm). It connects to this port and uses the shell to create an ftp script called "cmd.ftp" on the system directory of infected computer. The script instructs the infected computer to download and execute a copy of the worm via FTP. The FTP server listens on TCP port 5554 on all infected computers with the purpose of serving out the worm for other computer that are being infected. Transactions through the FTP server are logged to 'C:\win.log'.

 

Windows 95/98/Me and Windows NT/2000/XP/2003

W32/Sasser-A, W32/Sasser-B and W32/Sasser-D can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

 

Windows disinfector

SASSGUI is a disinfector for standalone Windows computers

• open SASSGUI
• run it
• then click GO.

If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.

After removing the worm you should install the Microsoft patch MS04-011 or, on single computers, update with all relevant security patches from Windows update.

 

Command line disinfector

SASSSFX.EXE is a self-extracting archive containing SASSCLI, a Resolve command line disinfector for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.

After removing the worm you should install the Microsoft patch MS04-011 or, on single computers, update with all relevant security patches from Windows update.

 

Other platforms

To remove W32/Sasser-A, W32/Sasser-B and W32/Sasser-D on other platforms please follow the instructions for removing worms.

 

Related Link(s)

For more information, please refer to the following websites.

Information from Computer Associates : variants A, B, C, D
Information from F-Secure : variants A, B, C, D
Information from McAfee : variants A, B, C, D
Information from Norman : variants A , B
Information from Sophos : variants A, B, D
Information from Symantec : variants A , B, C, D
Information from Trend Micro : variants A , B, C, D

For more information, please refer to the following websites.

http://www.hkcert.org

News Contact

Service Hotline: (852) 2998 0808
Fax: (852) 29977800
Email: [email protected]