Check out the latest Industry news from NextHOST (IT Next Generation) and other sources.
Virus Outbreak WORM_SASSER.B
Virus type: Worm
Destructive: No
Aliases: W32/Sasser.worm.b, W32.Sasser.B.Worm, W32/Sasser.B
Pattern file needed: 883 (1.883.00)OPR
Scan engine needed: 6.500
Overall risk rating: High
Reported infections: High
Damage Potential: High
Distribution Potential: High
As of May 2, 2004 10:07 PM (PST), TrendLabs has declared a Red alert to control the spread of this malware. Several infection reports have been received indicating that this worm is spreading across the globe.
This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of affected systems. This vulnerability is discussed in detail in the following pages:
MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011
To propagate, this worm sends a specially-crafted packet to TCP port 445 of random IP addresses. However it skips certain RFC 1918-reserved addresses. The packet causes a buffer overrun on vulnerable systems, which results in the execution of a remote shell that opens port 9996. This worm commands the remote shell to download its copy from the original infected source via port 5554 using FTP.
