|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
4 |
 |
Members:
0 |
 |
Total:
4 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/02/2004 10:09 AM |
|
| What it is
Welcome to spring! A few weeks ago we wrote to tell you to apply an important security patch (MS04-011) that had a similar vulnerability as the one exploited by last summer's blaster worm. A new virus w32/Sasser has been found and is now exploiting that vulnerability (it's a vulnerability in a little known service the lsass service). Like blaster this one spreads directly from computer to computer, without any email vector and has spread very quickly. If you weren't already patched or you're not behind a firewall - you're probably already infected. Once a single computer behind a firewall is infected it will spread to other unpatched systems behind the firewall. Although a firewall will prevent the traffic (and we highly recommend a firewall) your best bet is to be sure that you have the MS04-011 patch applied to your system.
The virus creates a program on your computer, and then creates 128 threads whose only job is to find other computers with the same vulnerability. Once found it infects these computers. Due to the sheer volume of the number of threads it will cause your computer to be sluggish and soak up internet bandwidth at an incredible rate. Unlike blaster this virus will NOT reboot your machine. The virus opens up a command shell so that anyone remotely can directly access the contents of your machine and an ftp server so that they can upload additional files to it. Any machine that is infected should be considered compromised and reviewed by a security expert to be sure that you don't have additional data or programs on your system you should not have.
What to do
If you are not yet infected and you are unpatched you should run windows update and update your computer's critical updates to apply the MS04-011 patch. If you do not have a firewall - DOWNLOAD THE PATCH FROM A MACHINE THAT IS PROTECTED, and DO NOT attach your machine to the internet until you are patched. You may want to confirm the presence of this patch using the MS baseline security analyzer. In general, you should ALWAYS access the internet from behind a firewall, and be sure any new computers attached behind your firewall are checked and patched prior to attaching them. We recommend that you configure the built in internet firewall on your workstation to be on, and/or to have an additional software firewall such as zonealarm, Norton Internet Security, or Black Ice.
If you are infected you should immediately disconnect the system from the internet (literally pull the Ethernet plug) and get the system purged using updated virus software, or a removal tool. There are tools to remove sasser from your system from all the major antivirus software vendors. The links are listed below. If you are infected and are not confident about cleaning your system and being sure that you have removed all infections from it, we recommend having a professional clean your system for you.
Further references
Sasser info from Norton: http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html
Removal tool from Norton: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
Sasser info from McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125007
Stinger removal tool from McAfee: http://vil.nai.com/vil/stinger/
Sasser info from Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
Sasser removal tool from Trend Micro: http://www.trendmicro.com/download/dcs.asp
Sasser info from Microsoft: http://www.microsoft.com/security/incident/sasser.asp
MS04-011 info from Microsoft: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
(This site includes direct download information for the patch for various operating systems)
Windows update site: http://windowsupdate.microsoft.com
Microsoft Baseline Security Analyzer: http://www.microsoft.com/technet/security/tools/mbsahome.mspx
This concludes this viruswarning notice,
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St Suite B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
|
|
|
|
|
Troy Watson
Posts:483
|
| 05/03/2004 10:19 PM |
|
| There is a chance for system reboots. But from the cases I saw today, it appears to be on non-infected machines that are getting hammered over port 445 until the lsass service causes a forced reboot.
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|