p2pnet - rss feed: New network worm likes W2K
p2pnet.net News:- The e-worms are at it again, this time in the form of another Blaster-type called Sasser with a taste for Windows XP or 2000.
It spreads through the MS04-011 (LSASS) vulnerability but is not, contrary to many reports, out of control, F-Secure assures us.
“You would expect a new automatic network worm like Sasser to hit even harder than it seems to be hitting right now,” says the company here.”
The vulnerability is caused by a buffer overrun in the Windows’ LSASS and could hit machines that:
- Run Windows XP or Windows 2000
- Haven’t been patched against this vulnerability
- Are connected to the internet without a firewall
Sasser scans random IP addresses, targeting TCP port 445 and after infection, opens a shell that listens on TCP port 9996 and then downloads the actual worm code through a FTP connection at TCP port 5554.
“Of course, it’s weekend time, but most infected machines would be home computers, many of which are turned on and online always,” says F-Secure.
“Sasser could be compared to the Blaster/Lovsan outbreak in last August in many ways. Both are automatic network worms affecting Windows 2000 and XP users, scanning random IP addresses and using FTP (or TFTP) to transfer the actual worm file to infected host. Also, both worms cause unpatched machines to start to reboot.”
If you think you may have been bitten - an indication is the appearance of ‘C:win.log’ and frequent LSASS.EXE crashes - run the Windows Update.
