FRISK Software International


Summary of W32/Sasser.A
Alias:W32.Sasser.Worm
Discovered: 1 May 2004
Definition files: 1 May 2004
Risk Level: Medium
Distribution:Medium
Infection Method:Distributes itself, by attempting to remotely exploit a buffer overflow vulnerability in LSASS (Local Security Authority Subsystem) addressed in "Microsoft Security Bulletin MS04-011", this vulnerability affects Windows 2000, XP and 2003 server.
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
The W32/Sasser.A is a network based worm, that spreads through exploitation of a vulnerability in LSASS (Local Security Authority Subsystem), that was addressed in Microsoft Security Bulletin MS04-011.

W32/Sasser.A, will copy itself to the current Windows directory under the name of "avserve.exe".

It creates the following registry key to ensure that the worm is automatically executed upon each Windows startup:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key: "avserve.exe" value: "%windir%\avserve.exe"
(where %windir would translate to the relevant Windows directory).

W32/Sasser.A will open a FTP-like service on port 5554, that takes care of uploading a copy of the worm to any compromised system.

The worm scans for new hosts, using semi-randomly generated IP addresses. This scanning routine causes excessive network load, slowing the infected system down considerably. The worm attempts to identify the remote system, by initiating a connection to port 445. The results of this identification determine how and if the worm attempts to exploit the remote system. If an exploitation is successful it will open a remote shell on port 9996 through which a new copy of the worm is uploaded.


Technical Description
W32/Sasser.A is a network based worm, written in C++ and compressed with PECompact v2. W32/Sasser.A spreads by trying to exploit a vulnerability in LSASS (Local Security Authority Subsystem), that was addressed in Microsoft Security Bulletin MS04-011.

Upon execution W32/Sasser.A will retrieve the Windows directory on the system. It copies itself to that location under the name of "avserve.exe". To ensure that the worm is automatically executed upon each Windows startup, the worm will create the following registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key: "avserve.exe" value: "%windir%\avserve.exe" (where %windir would translate to relevant Windows directory).

The worm creates a mutex memory lock, under the name of "Jobaka3l". If that lock already exists the worm will exit in order to prevent running multiple instances at the same time.

After this the W32/Sasser.A execution path branches out. The main thread will create two additional threads, one that loads up an FTP-like service on port 5554, and 128 instances of another thread which is responsible for scanning for other vulnerable hosts. After creating those two threads, the main thread will call an 'AbortSystemShutdown' function, which is internal to Windows. This function aborts any shutdown procedure of the system that has been initiated. This function is executed every three seconds.

W32/Sasser.A will open a FTP-like service on port 5554, that takes care of uploading a copy of the worm to any compromised system. This FTP-like service, simulates an FTP environment, to the extend that a normal FTP client (such as is present by default on Windows system), can login and retrieve a copy of the worm.

Note: The lack of proper boundary check within an input parsing routine of the FTP component, results in a buffer overflow vulnerability being present. This vulnerability, when exploited can either crash the W32/Sasser.A process or cause it to run arbitrary code.

The W32/Sasser.A scans for new hosts to infect, using 128 instances of the same scanning routine. This causes excessive network traffic to be generated on compromised systems. The worm carries out a routine, in order to generate an IP that it will attempt to connecto to in order to spread the infection. This routine consists of retrieving the current IP address on the system, parsing through each octal, and given the outcome of certain calculations and random factors generate a new IP address to connect to.

Once a new IP has been generated, the worm will try to connect to that system on port 445. The first packets sent, are an attempt by the worm to fingerprint the remote system, the results of this attempt will reflect on both whether the worm will attempt to exploit the host and how the actual attack is conducted.

If the remote system, is determined to be a possible target, the worm will initiate a new connection, this time trying to exploit the remote host. If the attack is successful, it will spawn a shell on the remote host on port 9996. Through this shell a copy of the worm is uploaded to the compromised system.


Removal Instructions
To remove the W32/Sasser.A from an infected system, please follow the following steps:

Install the security update released by Microsoft (KB 835732) that addresses the vulnerability exploited by the W32/Sasser.A worm. This security patch is available through the Microsoft Windows Update page.

Open the Task Manager (it is accessible by pressing the 'ctrl - alt - delete' sequence once, then choosing 'Task manager'. In the 'Windows Task Manager' window, click on the 'Processes' tab, and look for a process with the name 'avserve.exe'. If running, right click the process and choose 'end process'. This will terminate the W32/Sasser.A from memory.

Scan the computer with F-Prot Antivirus, it will locate and remove any instances of the W32/Sasser.A present on your computer. For a manual disinfection, proceed to open 'My computer'. Go to the current Windows directory on your system (on most systems, this would be either C:\WINNT or C:\WINDOWS). Look for a file under the name of 'avserve.exe'. This file should have the given size of 16 KB when viewed through Explorer. Delete the file from the Windows directory.

To remove the registry entry created by the W32/Sasser.A, open either 'regedit' or 'regedt32'. Navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]. Under that path, should be a key with the name of 'avserve.exe' and data containing '%windir%\avserve.exe' (where %windir% would translate to the path of your current Windows directory). Delete this key, by right clicking on it and choosing 'Delete'.

Once the steps above have been completed, please reboot your system.

A step by step guide is offered by Microsoft, at http://www.microsoft.com/security/incident/sasser.asp.

Description / analysis: Sindri Bjarnason - Virus researcher
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is