Description
Win32.Sasser.A is a worm that spreads by exploiting a vulnerability in the LSASS service on Windows 2000, XP and 2003 server. It is a 15,872-byte executable, packed with PECompact.
Back to top
Method of Infection
When executed, Sasser.A copies itself to:
%Windows%\avserve.exe
and modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avserve.exe = "%Windows%\avserve.exe"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The worm also creates a mutex called "Jobaka3l" to ensure only one copy of the worm is running on the system.
Back to top
Method of Distribution
Via Exploit
Sasser.A scans random IP addresses (for it to connect to) on TCP port 445. If it connects successfully, it then attempts to exploit the "Microsoft Windows LSASS buffer overflow vulnerability". For more information on this vulnerability, please see:
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=27886
The Microsoft security bulletin for this vulnerability is available here:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
Microsoft have also published some additional instructions for dealing with this threat here: http://www.microsoft.com/security/incident/sasser.asp
The worm uses this to open a remote shell, listening on port 9996. It connects to this port and uses the shell to create an ftp script called "cmd.ftp" on the remote machine. This file is created in the System directory.
Sasser.A runs a basic ftp server on each infected machine, on port 5554. It runs ftp.exe on the target system, using the ftp script to download the worm executable. The executable is saved in the System directory with the file name "<random number >_up.exe". For example:
C:\WINDOWS\system32\12756_up.exe
C:\WINDOWS\system32\10831_up.exe
As a side effect of infection, the LSASS service may crash, displaying a message similar to the following:
The worm creates 128 threads to scan for vulnerable systems, and logs IP addresses it has infected to the file c:\win.log.
For each of these threads, there is a 50% chance it will generate completely random IP addresses. There is a 25% chance it will generate addresses with the first octect the same as the host, and a 25% chance it will use the first two octets from the host address. The worm is capable of scanning more than 200 addresses per second.
Analysis by Hamish O'Dea
Back to top
Recommendations
Cleaning Utility Available: To download clnsasser.zip - a utility that cleans a local machine affected by Win32.Sasser and its variants, please click here.
This utility may be especially useful for those who either do not use CA Antivirus solutions, or who may be using products based on older technology that does not support system cleaning. Please view the Removal Instructions for your CA Antivirus Solution (below) to ascertain whether you require the cleaning utility.
Warning: Before running ClnSasser.com, please ensure that you carefully review the ReadMe.txt instruction file that accompanies this utility.
Back to top