Quote:
NEW WORM SPREADS WITHOUT USER INTERACTION
Severity: Medium (May elevate to high in the next few days)
1 May, 2004
---------------------------------------------------------------
For an easier-to-read HTML version of this article, go to:
https://www.watchguard.com/archive/showhtml.asp?pack=11040
---------------------------------------------------------------
ABOUT THE VIRUS:
Beginning Friday evening a new worm called Sasser (technically known
as W32/Sasser.worm) began spreading on the Internet. Like previous
worms (such as Slammer, and to some extent, CodeRed and Nimda),
Sasser relies on exploiting a recent flaw in Microsoft Windows to
spread. If the worm finds a computer vulnerable to the specific
Windows flaw, it infects that PC without any user interaction. Worms
like Sasser that require no user interaction tend to spread wildly.
The good news is that if you have kept up to date with the Microsoft
patches we've recommended in past alerts, and if your Firebox has a
typical configuration, Sasser should pass you by.
WHAT IT DOES:
Unlike most worms, Sasser does not rely on email to spread. Instead,
the worm attempts to connect to random victims on TCP port 445 and
exploits a Microsoft Windows vulnerability we described in an April
13 alert (specifically MS04-011). Its name arises from the fact that
it exploits a buffer overflow in LSASS (Local Security Authority
Server Service) .
If the exploit is successful, the worm downloads a copy of itself to
your machine and adds the file "avserve.exe" to the default Windows
directory. The worm also adjusts the registry to ensure that it can
restart the next time you reboot. In fact, using a special Windows
API, AbortSystemShutdown, Sasser makes it difficult to restart or
shut down your PC.
Finally, Sasser installs an FTP server on your computer, running on
TCP port 5554 so that your machine can deliver the worm to others.
Once installed on a victim machine, Sasser repeats the entire
process by randomly scanning IP addresses on port 445, searching for
exploitable machines. Out of the randomly scanned IPs, 50% are
totally random, 25% have the same first octet as your IP address and
the last 25% have the same first two octets as your IP address. This
helps Sasser to spread efficiently both on the Internet and within
your local network.
WHAT YOU CAN DO:
Make sure you've installed all of the Microsoft patches that we
recommended in our April 13 alert! With these patches installed,
Sasser cannot find a direct path into your network. As you'll see
below, your Firebox is probably already set up to defend against
this worm. However, take extra precautions to protect your network
from your mobile users or visiting customers. If this worm can sneak
its way onto an unpatched Microsoft network, it will be difficult to
contain.
SUGGESTIONS FOR FIREBOX II / III / X, VCLASS, AND SOHO USERS:
All of WatchGuard's firewalls block incoming TCP port 445 by
default. As long as you have not added a service allowing TCP port
445 in, you are protected from Sasser infection via the Internet.
In case your network becomes infected, filtering TCP ports 5554 and
9996 (the ports that the worm uses to spread itself) helps to
prevent your computers from becoming infectious hosts -- that is,
spreading the worm to others. If you don't already egress filter,
follow the instructions specific to your WatchGuard firewall to add
custom services for TCP port 5554 and 9996 and block both incoming
and outgoing access for these ports. The links below lead to
instructions on how to do so.
this also means that most of you behind NAT routers should be rather safe as the default for most routers is to denie anything under 1024 access. i would take the extra step to update your antivirus software, patch your OS (windowsupdate.microsoft.com copy and paste that in your navigation bar of IE), and run a system scan on the above file name to verify that you have not already been infected.
cross fingers and good luck at not getting this one.
putting this on a few of the forums here to help others from getting ganked.