Symantec Response to Sasser Worm – New information

Name: W32.Sasser.B@Worm
Description: W32.Sasser.B.Worm is a variant of W32.Sasser.Worm that is network aware worm that exploits the LSASS Microsoft vulnerability (MS04-011). It spreads by scanning randomly chosen IP addresses on MS systems that have not been patched. MS04-011 was announced on April 13, 2004.
Characteristics: Blended threat exploiting MS vulnerability

New information
– Indications show that the author might be same person that wrote the Netsky virus.
– Consumers and enterprise are vulnerable
– there is an email being distributed advising people on how to solve the Sasser virus, but this is a hoax email that also contains the Sasser virus. This could exasperate the problem
– there are already B,C and D variants to the original Sasser worm, which means the worm is improving significantly
– Symantec had counted at least 10,000 confirmed infections, and acknowledged that hundreds of thousands of computers have likely been infected.

Symantec advises:
Symantec recommends users update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.

Background about the Sasser.B worm
W32.Sasser.B.Worm attempts to exploit the LSASS vulnerability found in computers running Windows 2000 and XP. It has been impacting systems worldwide. It spreads by scanning randomly chosen IP addresses on Microsoft systems that have not been patched. W32.Sasser.B.Worm, rated by Symantec as a Level 4 threat, spreads by scanning randomly chosen IP addresses for vulnerable systems. Currently Symantec Security Response is seeing approximately 150 submissions per hour.

“Over the last several weeks Symantec Security Response has monitored a shift in malicious threat propagation,” said Alfred Huger, senior director, Symantec Security Response. “During the first several months of the year, most of the threats we tracked spread through e-mail. However, now we are tracking more threats that are exploiting vulnerabilities to spread. Users need to be diligent in patching systems, updating virus definitions and implementing best practice solutions.”

The Microsoft Windows LSASS Buffer Overrun Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc. Exploitation may occur over TCP ports 135, 139, 445, 593 and ports greater than 1024, as well as UDP ports 135, 137, 138 and 445. More information about the LSASS vulnerability can be found at this page.

Symantec recommends users update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.