Description
Win32.Sasser.E is a worm that spreads by exploiting a vulnerability in the LSASS service on Windows 2000, XP and 2003 server. It is a 15,872-byte executable, packed with PECompact.
Back to top
Method of Infection
When executed, Sasser.E copies itself to:
%Windows%\lsasss.exe
and modifies the registry to ensure that this copy is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsasss.exe = "%Windows%\lsasss.exe"
Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The worm also creates a mutex called "SkynetNotice".
Back to top
Method of Distribution
Sasser.E scans random IP addresses, attempting connections on TCP port 445. If it connects successfully, it then attempts the exploit the "Microsoft Windows LSASS buffer overflow vulnerability". For more information on this vulnerability, please see:
http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=27886
The Microsoft security bulletin for this vulnerability is available here:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx
Microsoft have also published some additional instructions for dealing with this threat here: http://www.microsoft.com/security/incident/sasser.asp
The worm uses this to open a remote shell, listening on port 1022. It connects to this port and uses the shell to create an ftp script called "cmd.ftp" on the remote machine. The file will be created in the System directory. Sasser.E runs a basic ftp server on each infected machine, on port 1023. It runs ftp.exe on the target system, using the ftp script to download the worm executable. The executable is saved in the System directory will the file name "<random number>_upload.exe". For example:
C:\WINDOWS\system32\12756_upload.exe
C:\WINDOWS\system32\10831_upload.exe
As a side effect of infection, the LSASS service may crash, displaying a message like the following:
The worm creates 128 threads to scan for vulnerable systems, and logs IP addresses it has infected to the file c:\ftplog.txt.
For each of these threads, there is a 50% chance it will generate completely random IP addresses. There is a 25% chance it will generate addresses with the first octect the same as the host, and a 25% chance it will use the first two octets from the host address. The worm is capable of scanning more than 200 addresses per second.
Back to top
Payload
After running for approximately 2 hours, the worm may display a message box with the title "SkyNet", which contains the following message:
1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar
the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch
from the www.microsoft.com website
4. This is an message from the SkyNet Team for
malicious activity prevention
Sasser.E deletes the following registry values, if present:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssgrate.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsys.exe
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Drvddll_exe
Analysis by Hamish O'Dea
Back to top