Sasser Worm

ISC is aware of the LSASS Sasser worm.
This worm is spreading through the MS04-011 (LSASS) vulnerability.
According to AV companies, this worm will generate traffic on ports 445, 5554 and 9996. Also, it will copy itself in the windows folder, under the name of avserve.exe, create a file at c:\ called win.log and add the registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Another sign of infection is frequent crashes of 'LSASS.EXE'.
Expect frequent updates.
References: http://www.f-secure.com/v-descs/sasser.shtml

http://www.sophos.com/virusinfo/analyses/w32sassera.html

Due to the release of this worm, we moved to infocon yellow for the next
24 hrs. The exact impact is not clear at this point.

Week in review. Many organizations including the Storm Center have been predicting a wide-spread malware outbreak that would exploit one or more of the vulnerabilities contained in the April Microsoft security bulletins. So far this week we have not seen any worm code, but the Ago|Gao|Phatbot family continues to grow and mutate. There are now several hundred variations of this bot family and there does not appear to be an end in sight. The family added tcp/1025 to its list of ports to scan, apparently hunting for RPC/LSASS and RPC/DCOM vulnerabilities. Increased scanning reported by DShield users on port 135, 139, 445, 1025, 1433, 2745, 3127, and 5000 is probably related to this family of bots. File names reported to the ISC this week that appear to be versions of the bot family include wmiprvsw.exe, wmipsvsc.exe, msiwin84.exe, and msiwin98.exe.


Other items included new versions of the Bagle and Netsky viruses plus increased scanning for open mail proxies on ports 559 and 65506.


LSASS exploit analysis. At the beginning of the week a Windows RPC/LSASS (MS04-011) remote exploit began circulating. Later in the week a universal exploit for lsasrv.dll was made public. Kyle Haugsness, one of our incident handlers, assembled the following analysis:


The Microsoft LSASS vulnerability released on April 13, 2004 is currently being exploited in the wild. At least two published exploits have been confirmed to gain full remote administrative privileges on Windows 2000 (Pro and Server) and Windows XP (see http://www.k-otik.com/exploits/ ). Due to the nature of the vulnerability, the exploit can be launched against several TCP/UDP ports (see list below). Exploit code in the wild has been observed attacking TCP 1025. Additionally, a working exploit appears to have been included in recent versions of the Phatbot/Agobot family of malware, which spreads in a wormlike fashion.


A machine infected with Phatbot/Agobot has been known to scan some of the following TCP ports in rapid succession (and not necessarily this order): 2745 1025 80 3127 6129 1433 5000 445 443 135


In addition to TCP 1025, the following ports are vulnerable to the LSASS
exploit:
TCP 135, 139, 445, and 593.
UDP 135, 137, 138, and 445.


The patch for the vulnerability (MS04-011) can be installed through Windows Update or located at the following URL:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx The vulnerability has been assigned CVE reference number CAN-2003-0533,
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0533


SANSFIRE 2004 Finally, I'd like to put in a plug for this summer's hottest computer security conference - SANSFIRE in Monterey California. Come meet several of the ISC handlers and attend one of SANS' 14 training tracks the first week in July. See you there! http://www.sans.org/sansfire2004/


Marcus H. Sachs

The SANS Institute

Handler on Duty