Monday, May 3, 2004

Sasser worm

So, yet another day and yet another worm. Only this one is not spreading via email. It is spreading by exlpoiting a recent vulnerability in MS Windows operating systems.

XP, 2000, 2003 are all affected, however if you applied all of the patches recently which addressed 20 vulnerabilties, you are safe - well your box and network is. If not, I'd suggest installing the updates, updating your AV and running a scan, just in case your systems are already infected.

The main problem this worm may cause is increased bandwidth usage on your network as infected hosts scan for other machines to infect. The reports of new worms are common place these days, most via email though and the odd one like this or Blaster which exploit a vulnerability.

Sasser exploits a bug in the Local Security Authority Subsystem service. See the MS bulletin for more information regarding the vulnerability.

It creates the following resitry key:

[SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avserve.exe" = "%WinDir%\avserve.exe"

So that only one copy of the worm is running it creates a mutex called 'Jobaka3l'.

Ports used by the worm are:

445/TCP - The worm attacks using this port
5554/TCP - FTP server, running on infected systems
9996/TCP - Remote shell opened by the exploit on vulnerable hosts

So get updating, if you have not already!

Post ID: 364, posted by jase at 11:14 PM
Permalink | TrackBack ID: 338, (0) | Category: Internet | Google Search
Comments
Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved before your comment will appear.)


Remember me?


Valve Media Ltd
Search Engine Compliance