(powered by prnrn91.com)
There is a new, very dangerous, virus circulating on the Internet. It's called the Sasser Worm. I have included the information bekow right from Microsoft's web site. It has links to all the popular Anti-Virus sites and instructions on how to protect your computer from this very destructive worm.
SEVERITY: CRITICAL
DATE: May 1, 2004
UPDATED: May 5,
2004
The PSS Security Team is updating this alert to make customers aware of the W32.Sasser.worm and its variants. Currently, Microsoft is aware of the original Sasser worm and, B, C and D variants. All worms exploit the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011 on April 13, 2004.
Microsoft encourages customers to protect themselves against this worm by installing Microsoft Security Bulletin MS04-011 <www.microsoft.com/technet/security/bulletin/ms04-011.mspx> immediately.
PRODUCTS AFFECTED: Windows 2000, Windows XP
IMPACT OF ATTACK: Remote Execution of Code
TECHNICAL DETAILS:
For the latest technical updates from Microsoft on the Sasser worm and its variants, view the following:
| |
View the on-demand version of the 9:00 AM PDT May 4, 2004 Microsoft Technical
Update Webcast on the Sasser Worm: |
For additional details on this worm from antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA), please visit the following websites:
For more information on Microsofts Virus Information Alliance please visit this link:
| |
http://www.microsoft.com/technet/security/topics/virus/via.mspx |
Please contact your Antivirus Vendor for additional details on this virus.
PREVENTION:
Install the latest Microsoft Security Bulletin MS04-011
| |
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx |
Those who have enabled the Windows XP Firewall are protected from the vector this worm attacks, which is TCP Port 445. Most third party firewalls also block this attack vector by default.
In addition, Internet Security and Acceleration (ISA) Server scripts have been posted that explicitly block traffic related to the Sasser worm from entering into or exiting from a network whose Internet traffic is controlled by either ISA Server 2000 or ISA Server 2004.
For more information and to obtain these scripts please go to http://isatools.org and obtain the following scripts:
| |
ISA 2000: block_sasser.vbs |
| |
ISA 2004: block_sasser_2k4.vbs |
RECOVERY:
If your computer has been infected with this virus you should first take the following step to protect against future infection
| |
To protect against future infections install Microsoft Security Bulletin MS04-011 <www.microsoft.com/technet/security/bulletin/ms04-011.mspx> immediately. |
Once you have applied the update to prevent against future infection, you can then take steps to clean your system from the current infection. To clean your system from the current infection, please contact your preferred antivirus vendor or refer to Microsofts cleaning tool. Currently, Microsofts cleaning tool successfully removes the original Sasser worm and the B, C and D variant.
If your computer is vulnerable to the worm, the worm may cause LSASS.EXE to crash which will force the operating system to shutdown after 60 seconds. This shutdown can be aborted on Windows XP systems by using the built-in shutdown.exe -a command. This shutdown can NOT be aborted on Windows 2000 systems.
On Windows 2000 systems, to prevent LSASS.EXE from crashing (thereby restarting the operating system) unplug the network cable (or disable the network adapter before LSASS.EXE crashes) and then perform any one of the following steps to prevent the worm from crashing LSASS.EXE:
|
1. |
Create a file called %systemroot%\debug\dcpromo.log and make the file read-only. To do this, type the following command: echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log NOTE: This is the most effective mitigation technique as it completely mitigates this vulnerability by causing the vulnerable code to never be executed. This work-around will work for packets sent to any vulnerable port. | ||||||||||||||||||||
|
2. |
Enable advanced TCP/IP filtering on all adapters to block all un-solicited inbound TCP packets
This is an alternate mitigation technique that can be used to block all attempts to exploit the vulnerability via the TCP protocol. This will not prevent malformed UDP packets from reaching a vulnerable port and does not completely block the vulnerability like the steps outlined above. | ||||||||||||||||||||
|
3. |
Temporarily stop the server service by typing the following command line: net stop server /y NOTE: This technique will only block exploit attempts that occur via TCP 139 and 445. |
If the machine is currently infected with the Sasser worm it may start flooding the local network connection as soon as the cable is plugged back in making it impossible to download updates. To temporarily disable the worm use Task Manager to kill the following processes:
| |
End any process beginning with 4 or more numbers and _up.exe (for example, 12345_up.exe) |
| |
End any process starting with avserve (for example, avserve.exe, avserve2.exe) |
| |
End any process named skynetave.exe |
| |
End any process named hkey.exe |
| |
End any process named msiwin84.exe |
| |
End any process named wmiprvsw.exe NOTE: Do not end the process named wmiprvse.exe it is a legitimate system process. |
After stopping the worm processes you should be able to download the security update and a Sasser removal tool.
PSS Security Response Team