Flash Update (May 3rd 09:30 AM): We did receive some initial reports about a significant rise in ICMP traffic, which may point to a new worm with Nachi style ICMP component

Sasser/SasserB and SasserC are just one component of multiple MS04-011 Exploits Threatening Networks

SasserC, reported by Joe Stewart of Security Service Provider LURHQ
( http://www.lurhq.com ), is currently undergoing analysis. Joe reports that SasserC spawns 1024 threads to attack other systems, and it seems poised
to torch networks that are not patched for the MS04-011 vulnerabilities. Let's
hope MS shares some realtime numbers of infected systems from their customers
use of the Microsoft Sasser cleaning tool (link below). In addition, Gaobot
variants are actively exploiting systems using MS04-011 vulnerabilities
too.

Speaking of Gaobot variants, the ISC has received quite a
few submissions of suspected malware this week from participants for analysis.
The suspected malware failed detection by vendor malware scanning applications.
Our recent experience with submitting the new variants to the vendors for
confirmation, identification and deployment of new definitions to detect the
obvious malware indicates that there's a 72 hour lag between submission and
deployment of definitions to detect the malware. During that time, many
Universities are reporting that the malware is causing disruptions and incident
responses ranging from minor to major.

In an effort to reduce their own
support costs, many network operators are referring owners of infected systems
to Microsoft for support and cleanup help, Microsoft provides free support for
virus and trojan infection cleanup;

"Get Help with Security and Virus-related Issues"
"Get free help by phone: 1 (866) 727-2338 (Toll free; US and Canada only)"

http://www.microsoft.com/security/protect/support.asp">http://www.microsoft.com/security/protect/support.asp
ISC and ISC Participants - MS04-011 exploits and Malware Analysis
Handlers and ISC participants contributing to this weekends analysis (links next) were; Lorna Hutcheson, Toby Kohlberg, Scott Fendley, David Tulo,
(Senior Network Forensics Engineer), Joe Stewart (GCIH, Senior Security
Researcher LURHQ) and Eric Jacobsen - snort signature.
We would also like to extend a big thanks for all of the other ISC
participants who took the time this week to submit their reports of suspicious
activity, files of suspected malware and individual efforts at analysis of the
exploitation of the Microsoft vulnerabilities announced over the last 6
months!
ISC and ISC Participant analysis of MS-04-011 exploits and Sasser
information;

Handler's Diary May 1st 2004

http://isc.sans.org/diary.php?date=2004-05-01
Handler's Diary April 30th 2004
http://isc.sans.org/diary.php?date=2004-04-30
Sasser Removal Tools

Symantec W32.Sasser Removal Tool
http://www.sarc.com/avcenter/venc/data/w32.sasser.removal.tool.html

F-Secure Sasser Removal Tool

ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
McAfee Sasser Removal Tool

http://vil.nai.com/vil/stinger
Microsoft's Sasser Removal Tool
http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en">http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en

"Step 4: Review Additional Technical Resources - If the cleaning tool above doesn't work for you, use the free worm removal tool available at your preferred antivirus software vendor's Web site"

AV Vendor and Other Sasser Analysis links

LURHQ analysis;
http://www.lurhq.com/sasser.html
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
RAV

http://www.rav.ro/virus/showvirus.php?v=214
http://www.rav.ro/virus/showvirus.php?v=215

F-Secure

http://www.f-secure.com/weblog/
http://www.f-secure.com/v-descs/sasser.shtml

http://www.f-secure.com/v-descs/sasser_b.shtml
McAfee

http://vil.nai.com/vil/content/v_125007.htm
http://vil.nai.com/vil/content/v_125008.htm
TREND Micro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
CA
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012

http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021

Microsoft's Sasser Warning and Tool Information

Yesterday, May 1st, <U>the</U> top announcement at Microsoft.Com was and still is - "Sasser Worm: Important Information - What to do to protect against or remove the worm - Actions you can take" (click the radio button and there's a tool for removal).
http://www.microsoft.com
"Step 3: Automatically Check For and Remove Sasser
You can use this tool to search your hard drive for and try to remove the Sasser worm and its variants. To do so, click Check My PC for Infection.

"Check my PC for Infection"

Also "Note If you'd like to run this scanning and cleaning tool manually, you can access it from the Microsoft.com Download Center"