PDA

Visualizza versione completa : W32.Sasser.G - Allerta 4 - Update


Giorgius
12-06-2004, 13.49.28
Aliases:
Win32/Sasser.G (Enciclopedia Virus (Ontinent)), W32.Sasser.G (Symantec)

Effetti:
W32.Sasser.G is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly selected IP addresses for vulnerable systems. The worm's function is identical to that of W32.Sasser.E.Worm, but W32.Sasser.G contains an extra PE file section, which is 1 byte in size and appears to have no function. W32.Sasser.G differs from W32.Sasser.Worm as follows:
Uses a different mutex: SkynetNotice.
Uses a different file name: lsasss.exe.
Creates a different value in the registry: "lsasss.exe"
Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
After 2 hours of running it displays a message.
It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
The name of the file retrieved from the FTP server is followed by _update.exe.
The worm logs data into the file C:\ftplog.txt.
Has an updated routine for finding vulnerable computers. W32.Sasser.G sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.

Info:
http://www.symantec.com/avcenter/venc/data/w32.sasser.g.html
http://alerta-antivirus.red.es/virus/detalle_virus.html?cod=3981
http://www.microsoft.com/security/incident/sasser.asp

Aggiornamento AntiVirus al 12/06/04 ;)(Y)

Giorgius
12-06-2004, 13.51.35
Symantec: http://securityresponse.symantec.com/avcenter/FxSasser.exe
BitDefender: http://www.bitdefender-es.com/bd/downloads/removaltools/Antisasser-ES.exe