Sasser Worm Infects Thousands of Computers Worldwide

Bloomberg ^ | May 3, 2004

[general_re]

You laugh, but I just ducked a call from my mother. Sigh... ;)

[meanman]

You must download the software patch from the Microsoft website. SASSER shuts down your computer soon after getting on the internet, and doesn't give you enough time to download the patch. Anyone have any ideas on how to get around this? I caught this SOB Friday afternoon 4/30/04.

[IamHD]

Thanks for the Tool. :)

"Personally, I'd hold out for champagne..."

LOL Which one?

[ezo4]

I switched over to one of my linux servers to work this weekend and today Im on macOSx.3. All my windows boxes are off the net and powered down. Ill watch and wait to see what happens :o)

[FourPeas]

LOL. That's the truth. Don't forget to pull the shades, too.

[ParityErr]

If your daughter has broadband the first thing is to unplug her computer from the internet. Then I would remove the virus from the registry.

After that I would at least install a software firewall such as zonealarm.

[Billthedrill]

Try that tool in post 39 - if you can't get it in time, you may have to download it to another box and cut it over to a floppy (it's only 149KB) or a CD.

[IamHD]

"All of the 'family computer experts' take cover! Unplug your phones! Lock your doors!"

[IamHD]

To download the tool, it says this:

Note: "You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP."

What does this mean?

[varina davis]

Bookmark

[Arthalion]

Block inbound traffic on TCP port 445.

We are doing so from the Internet, but we have more than a thousand outside PC's that connect via RAS or VPN, and they tend to be the weak link in our security. We've blocked 445 at our inbound RAS and VPN concentrators, but it only takes one person inadvertently moving an infected payload on an alternate port, or one variant to switch the port before we can react, and we're infected (updating the concentrator to block certain ports temporarily boots all of the connections while the rules are being updated...booting 1000+ users off the network isn't something that can be done quickly or lightly).

So far, everything looks clean. Our operations guys are actively scanning our network and haven't yet spotted any signs of the virus. Our firewall logs, however, have been showing a pretty dramatic increase in the number of blocked 455 connection attempts since 5AM this morning.

[Snowy]

Note: "You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP."

It means that you are not an administrator to the machine. Is there someone else who uses that machine who is an admin?

[tort_feasor]

Got slamed by it. Bump to let all Freepers know about it.

[FourPeas]

From Reuters:

Sasser Worm Strikes Countless PCs Worldwide

By Brett Young

HELSINKI, Finland (Reuters) - The fast-spreading "Sasser" computer worm has infected hundreds of thousands of PCs globally and the number could rise sharply, a top computer security official said on Monday.

"If you take a normal Windows PC and connect to the Internet, you will be infected in 10 minutes (without protection)," Mikko Hypponen, Anti-Virus research director at Finnish data security firm F-Secure (FSC1V.HE: Quote, Profile, Research) , told Reuters.

"It seems to be gradually getting worse, but it could jump as the U.S. wakes up," he said.

F-Secure says the worm, which surfaced over the weekend, automatically spreads via the Internet to computers using the Microsoft (MSFT.O: Quote, Profile, Research) Windows operating system, especially Windows 2000 and XP.

The spread of the virus has been muted so far, Hypponen said, as it emerged on a weekend, and with holidays closing offices in places like the United Kingdom and Japan on Monday.

But the spread was expected to worsen as the work week hits its stride, Hypponen said, adding he believes the worm originated in Russia.

It was not immediately known what impact the worm was having on computer networks of U.S. companies as they started the business day.

U.S. carrier Delta Air Lines (DAL.N: Quote, Profile, Research) suffered a computer glitch on Saturday that caused delays and cancellations of certain flights across its system, but a spokesman said there was no information yet as to the cause.

A Microsoft representative was not immediately available for comment, but said in a statement that customers could protect themselves by erecting personal firewalls that separate internal networks from public networks, and by downloading Microsoft security patches.

The company also said it was working with law enforcement officials, including the Northwest CyberCrime Taskforce, to analyze the worm and to identify those responsible for it.

Finnish bancassurer Sampo (SAMAS.HE: Quote, Profile, Research) temporarily closed all of its 130 branch offices on Monday as a precaution.

In Australia, Westpac Bank (WBC.AX: Quote, Profile, Research) said it was hit by the worm, and branches had to use pen and paper to allow them to keep trading, The Australian newspaper (http://www.theaustralian.news.com) reported.
"With Sasser it seems that companies are (using software) patches better and more quickly than last year (with virus "Blaster"), but for those that are hit, they are hit hard," Hypponen said.

Blaster infected computers around the globe last year.

NO NEED TO CLICK

The current worm does not need to be activated by double-clicking on an attachment, and can strike even if no one is using the PC at the time. When a machine is infected, error messages may appear and the computer may reboot repeatedly.

"Compared to what happened with Blaster ... last August ... this virus has all the same features," Hypponen said, noting that both worms exploited relatively new holes in Windows and frequently caused computers to reboot.

Microsoft said Blaster cost it "millions of dollars of damages," and has issued a $250,000 bounty for information on the whereabouts of its author.

F-Secure said corporate networks should be protected against Sasser and its variants by firewalls -- Internet road blocks that separate internal from public networks.

F-Secure said the worm emerged 18 days after Microsoft posted a corrective-code software patch on its Web site. This continues a common pattern with viruses whereby companies announce flaws in their software and hackers race to exploit them.

For home computer users, people should make sure they have downloaded the patch from Microsoft to fix the breach. If their computer is infected, it must first be downloaded before the virus is removed or else the PC could catch the worm again.

Hypponen said he was not sure there was a better way for companies to alert users to software problems.

"There are always going to be security holes in mainstream products," he said. "Even if these are not made public, the bad boys will find out about them anyway."

[IamHD]

No, it's my daughter's personal computer that she uses at work. There is no network, and she is the only one that uses it. I suppose this means that I will have to manually remove this thing. She got the variant, Sasser B. I will expect a nice dinner from her, 'cause it's gonna take a while to get rid of it. lol

[FourPeas]

Source: http://www.reuters.com/newsArticle.jhtml;jsessionid=BYADTG24BDCMCCRBAEKSFEY?type=topNews&storyID=5017896&pageNumber=1

[Billthedrill]

Oh, ugh. When you (or whoever) installed the OS on the box you're taking it to, an account was set up with administrative authority on that box and a password put in. If your user account doesn't have administrative authority (i.e. can alter the registry and write to system areas) then you'll have to log in using the local administrator account.

If it's an ordinary, run-of-the-mill workstation, the local user probably does have admin authority - try a blank password if it prompts you. If not, whoever built the box will have to let you know how they configured it. Sorry.

[CyberCowboy777]

Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.


Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP address of the infected host
25% have the same first and second octet as the IP address of the infected host.

The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.


http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

[FourPeas]

It happens in the background as part of the communications that goes on through the network.

[Billthedrill]

Oh, I see you already know that. Never mind... ;-)