Wednesday, August 31, 2016

W32.Sasser.Worm


Brief Description:
--------------------
W32.Sasser.Worm is a worm that spreads by scanning randomly-chosen IP addresses for machines vulnerable to the LSASS exploit. This worm and a couple of it's variants have quickly spread worldwide (beginning early May 1st). W32.Sasser.Worm starts an FTP server on TCP port 5554 and generates traffic on TCP ports 445 and 9996. It also starts 128 network scanning threads most likely causing severe degradation in system performance.

Characteristics:
------------------
When W32.Sasser.Worm runs, it does the following:

-- Attempts to create a mutex called Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.

-- Copies itself as %Windir%\avserve.exe.

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

-- Adds the value:
"avserve.exe"="%Windir%\avserve.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.

-- Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

-- Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

-- Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

The IP addresses generated by the worm are distributed as follows:
• 50% are completely random
• 25% have the same first octet as the IP address of the infected host
• 25% have the same first and second octet as the IP address of the infected host.

-- Summary of TCP ports used by the worm:
445/TCP: - The worm attacks through this port
5554/TCP: - FTP server on infected systems
9996/TCP: - Remote shell opened by the exploit on the vulnerable hosts

-- The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

-- Computers are probed on port 445 which is the default port for Windows SMB communication on NT-based systems.

The probing might crash unpatched computers.

Under Windows 2000, users may see a Windows error message like this:
.
















EmoticonEmoticon