ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security management Toolkit

Sasser.a and Sasser.b: Prevention and cure

Robert Vamosi CNET News.com

Published: 05 May 2004 12:00 BST

Sasser starts an FTP server on TCP port 5554. Meanwhile, it uses TCP port 445 to search random chunks of the Internet for additional Windows 2000 and Windows XP machines that have not patched the LSASS flaw. Sasser launches 128 threads to scan the random IP addresses and listens on successive ports starting with TCP port 1068. Microsoft reports that the worms also use TCP port 139 as well. Ports 139 and 445 are both used by the Windows file-sharing protocol.

If the Sasser worm finds a vulnerable machine on a local network or the Internet, the worm sends a specially crafted packet to cause a buffer-overflow in lsass.exe. The overflow contains instructions in a script file, cmd.ftp, on the newly infected machine to open TCP port 9996 and instructions to download a copy of itself from TCP port 5554 on the previously infected machine as:
[some random number]_up.exe.

The file cmd.ftp is then erased. Sasser.a creates a win.log in the root directory of the newly infected machine that contains the number of remote systems currently infected and the IP address of the last infected system. Sasser.b creates a file called win2.log.

Prevention
Microsoft has created a special page on how to prevent a Sasser infection. Basically, a desktop firewall should protect vulnerable systems until the Microsoft security patch can be downloaded. If you do not have a personal firewall, you should install one first to limit the effects of the Sasser worm. The Microsoft security patch MS04-011 is available here.

Removal
Most antivirus-software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. However, simply removing the Sasser worm infection is not enough; an infected system will remain vulnerable to attack until the LSASS vulnerability itself has been patched.

For more information on Sasser.a, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

For more information on Sasser.b, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

1 2

Did you find this article useful?
145 out of 265 people found this useful

Post a comment

Full Talkback thread

0 comments

More In Security management

Company/Topic Alerts

Create a new alert from the list below:

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.