Removing Win32 Sasser.Worm
W32-Sasser Worm
Also Known As:
W32/Sasser.worm (McAfee)
W32.Sasser.Worm (Symantec)
WORM_SASSER (Trend Micro)
Win32.Sasser (CA)
Sasser (F-secure)
Sasser (Panda)
W32/Sasser (Sophos)
W32/Sasser (Norman)
Summary
Win32/Sasser is a family of network worms that exploit the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011. The worm spreads by randomly scanning IP addresses for vulnerable machines and infecting any that are found.
Symptoms
Your computer may be infected with Win32/Sasser if you experience one or more of the following symptoms:
You see an LSA Shell crash dialog box
Your computer restarts every few minutes without user interaction. You may see a system shutdown dialog box, like the one (snap) below:
Your computer performance is decreased or your network connection is slow.
Technical Information
When Win32/Sasser runs on a computer, it copies itself to the %WINDOWS% folder. In most cases, it adds a value to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This value causes the worm to start when Windows is started.
Win32/Sasser acts as an FTP server listening on TCP port 5554. For each connection made on this port, the worm sends a copy of itself to that connected host using the file name_up.exe.
The worm generates random IP addresses using a certain logic and then sends the exploit shell code to these IP addresses on TCP port 445. If the exploit is successful, a command line shell listens on a TCP port of the remote infected machine. To complete the infection, the worm executes a remote shell script that instructs the newly infected machine to connect to the infecting host and download and execute the worm through FTP. The worm records the count of successful infections to a file on the C: drive.
Win32/Sasser also attempts to abort any unexpected system shutdown by calling AbortSystemShutdown every several seconds in a continuous loop.
Later variants of the worm may drop a variant of Netsky worm. Later variants may not infect Windows 2000 because they import IcmpSendEcho from IPHlpAPI.dll, which is not present in Windows 2000.
This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now
W32-Sasser Worm
Also Known As:
W32/Sasser.worm (McAfee)
W32.Sasser.Worm (Symantec)
WORM_SASSER (Trend Micro)
Win32.Sasser (CA)
Sasser (F-secure)
Sasser (Panda)
W32/Sasser (Sophos)
W32/Sasser (Norman)
Summary
Win32/Sasser is a family of network worms that exploit the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011. The worm spreads by randomly scanning IP addresses for vulnerable machines and infecting any that are found.
Symptoms
Your computer may be infected with Win32/Sasser if you experience one or more of the following symptoms:
Technical Information
When Win32/Sasser runs on a computer, it copies itself to the %WINDOWS% folder. In most cases, it adds a value to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This value causes the worm to start when Windows is started.
Win32/Sasser acts as an FTP server listening on TCP port 5554. For each connection made on this port, the worm sends a copy of itself to that connected host using the file name
The worm generates random IP addresses using a certain logic and then sends the exploit shell code to these IP addresses on TCP port 445. If the exploit is successful, a command line shell listens on a TCP port of the remote infected machine. To complete the infection, the worm executes a remote shell script that instructs the newly infected machine to connect to the infecting host and download and execute the worm through FTP. The worm records the count of successful infections to a file on the C: drive.
Win32/Sasser also attempts to abort any unexpected system shutdown by calling AbortSystemShutdown every several seconds in a continuous loop.
Later variants of the worm may drop a variant of Netsky worm. Later variants may not infect Windows 2000 because they import IcmpSendEcho from IPHlpAPI.dll, which is not present in Windows 2000.
This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now
No comments:
Post a Comment