Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2013

Help Centre

Reporting Channels

Definitions of Incidents

Cyber999 - Service Level Agreement

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2004

MA-073.052004: W32.Sasser Worm

Original Issue Date: 5th May 2004
Last Updated: 7th May 2004

1.0 Description

1.1 Overview

On the 2nd May 2004, MyCERT received information and observed detects of a new Internet worm that propagates rigorously upon infection by scanning TCP port 445 and sending payload to random IP addresses. The worm named W32.Sasser Worm is an internet worm that arrives as AVSERVE.EXE on target systems and once infected on a machine the worm will open TCP port 9996 and TCP port 5554 for malicious activities.

The worm exploit vulnerability exist in Microsoft Windows Systems:

*Exploits the Local Security Authority Subsystem Service (LSASS) vulnerability released on April 13, 2004 (partly described in Microsoft Security Bulletin MS04-011 - http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx), using TCP port 445 and specifically targets Windows XP, Windows 2000 and Windows 2003 machines.

Once infected, the worm exploits the vulnerable system by overflowing a buffer in LSASS.exe. It creates a remote shell on TCP port 9996. Next it creates a FTP script named cmd.ftp on the remote host and execute it. This FTP script instruct the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554. The worm will have the name consisting of 4 to 5 digits, followed by _up.exe (eg. 12345_up.exe).

The infected host will prompt LSASS shell error and reboot. After reboot the worm will scan for other active machines to infect it by scanning to random IP address TCP port 445.

1.2 Propagation

It spreads by scanning the randomly selected IP addresses for vulnerable systems. The scanning is to TCP port 445 (Microsoft-DS).

1.3 System Affected

Systems that are vulnerable to this worm are unpatched machines running on:

1.2.1 Windows XP SP1
1.2.2 Windows 2000 SP4 and below
1.2.3 Microsoft Windows 2003

1.4 Aliases

W32.Sasser.Worm (Symantec)
W32/Sasser.worm.a (McAfee)
Worm_Sasser.A (Trendmicro)

1.5 Payload

1.5.1 Cause system instability on vulnerable Windows operating system due to LSASS service crash.

1.5.2 Cause degradation in performance.

2.0 Technical Matters (Extracted from Symantec Anti-Virus)

When W32.Sasser.Worm runs, it does the following:

2.1 Attempts to create a mutex named Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.

2.2 Copies itself as %Windir%\avserve.exe.

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

2.3 Adds the value:"avserve.exe"="%Windir%\avserve.exe"to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

Note: The filesize for the avserve.exe is 15.5 kb

2.4 Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

2.5 Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

2.6 Iterates through all the host IP addresses, looking for addresses without any of the following:

127.0.0.1

10.x.x.x

172.16.x.x - 172.31.x.x (inclusive)

192.168.x.x

169.254.x.x

Using one of these IP addresses, the worm then generates a random IP address.

52% of the time, the IP address is completely random.

23% of the time, the last three octets are changed to random numbers.

25% of the time, the last two octets are changed to random numbers.

Notes: * An octet is an 8-bit section of an IP address.

For example, if A.B.C.D is an IP address, A is the first octet, B is the second, C is the third, and D is the fourth.

Because the worm can create completely random addresses, any IP range can be infected.

This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.

Connects to the randomly generated IP address on TCP port 445 to determine whether a remote computer is online.

2.9. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.

2.10. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.

2.11 The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.

2.12 Creates a file at C:\win.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.

3.0 Possible Steps

3.1 Prevention

3.1.1 Network Filtering

Sites are encouraged to block incoming and outgoing traffic via port 445/TCP, port 9996/TCP and 5554/TCP at network gateways except for hosts that require those services.

3.1.2 System/Host

It is strongly recommended that all machines are to be patched with the Microsoft LSASS patch (Microsoft Security Bulletin MS04-011) to prevent propagation of the worm.

The patch can be downloaded at:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

System/host should also install personal firewall to block port 445/TCP.

Note: Windows XP machines already includes the Internet Connection Firewall (ICF).

3.2 Detection

You may scan your machine with an updated Anti-virus software to detect the presence of the worm. List of anti-virus vendors ia available at:

http://www.mycert.org.my/en/resources/malware/av_sites/main/detail/528/index.html

System Administrators could also download the following tools to detect any system/host that are vulnerable to W32.Sasser worm in their network.

Foundstone DSScan V1.0
http://www.foundstone.com/resources/proddesc/dsscan.htm

eEye Retina Sasser Audit Tool
http://www.eeye.com/html/Research/Tools/Download.asp?file=RetinaSasser

3.3 Removal and Recovery

There are two ways of removal which is using automatic removal tool or manual removal. Regardless which option is chosen, the host must be patched to avoid reinfection. Below are the recommended procedures:

3.3.1 Automatic Removal Tool (This method is the easiest way to cleanup the worm)

3.3.1.1 Disconnect the infected machine from the network

3.3.1.2 Disable the system restore for Windows XP.

Click Start.

Right-click My Computer, and then click Properties.

Click the System Restore tab.

Select "Turn off System Restore" or "Turn off System Restore on all drives". Check box.

3.3.1.3 Apply the latest Service Packs.

For Windows 2000 apply SP4

For Windows XP apply SP1a

Service Pack 4 for Windows 2000 can be downloaded at:
http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp

Service Pack 1a for Windows XP can be downloaded at:
http://www.microsoft.com/windowsxp/pro/downloads/servicepacks/sp1/default.asp

Note: If your machine is already running the latest service pack, then you may skip this step.

3.3.1.4 Apply the Microsoft Security Bulletin MS04-011 patch.

The MS04-011 patch can be downloaded at:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

3.3.1.5 You may download a Automatic Removal tool provided by the following Anti-virus vendors which detects and removes the worm.

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

McAfee
http://vil.nai.com/vil/stinger/

Trend Micro
http://www.trendmicro.com/download/dcs.asp

Microsoft
http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en

3.3.1.6 Enable the system Restore for Windows XP.

3.3.2.7 Re-connect the machine to the network.

3.3.2 Manual Removal

3.3.2.1 Disconnect the infected machine from the network

3.3.1.2 Disable the system restore for Windows XP.

Click Start.

Right-click My Computer, and then click Properties.

Click the System Restore tab.

Select "Turn off System Restore" or "Turn off System Restore on all drives". Check box.

3.3.2.3 Apply the latest Service Packs.

For Windows 2000 apply SP4

For Windows XP apply SP1

Service Pack 4 for Windows 2000 can be downloaded at:
http://www.microsoft.com/windows2000/downloads/servicepacks/sp4/default.asp

Service Pack 1a for Windows XP can be downloaded at:
http://www.microsoft.com/windowsxp/pro/downloads/servicepacks/sp1/default.asp

Note: If your machine is already running the latest service pack, then you may skip this step.

3.3.2.4 Apply the Microsoft Security Bulletin MS04-011 patch.

The MS04-011 patch can be downloaded at:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

3.3.2.5 Terminate the malicious process that are running.

3.3.2.5.1 Terminating the process.

Press Ctrl+Alt+Delete.

Click at 'Task Manager' tab.

Click the Processes tab.

Scroll through the list and look for the following processes and click 'End Process'tab.

'avserver.exe'
Any process with a name consisting of four or five digits, followed by _up.exe (for example, 12345_up.exe).
Note: Each of the malicious file size is 15.5 kb.

Exit the 'Task Manager'.

3.3.2.5.2 Delete malicious file at Windows directory.

Delete the AVSERVE.EXE and (random numbers consisting of 4-5 numbers)_UP.EXE files from the WINDOWS directory.

The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Example: C:\Windows\System32\12345_up.exe

The malicious file size is 15.5 kb.

3.3.2.5.3 Delete the dropped file by the worm at registry.

Note: Prior to editing your registry, make sure you save/back up your registry.

Click Start, and then click Run.

Type regedit and click OK. (The Registry Editor opens).

Navigate to the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

d.In the right panel, delete the value: "avserve.exe"="%Windir%\avserve.exe".

e.Exit the Registry Editor.

3.3.2.6 Enable system restore for Windows XP.

3.3.2.7 Re-connect the machine to the network.

4.0 More Information

More information on this worm can be obtained from the following sites:

4.1 Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html

4.2 McAfee
http://vil.nai.com/vil/content/v_125007.htm
http://vil.nai.com/vil/content/v_125008.htm
http://vil.nai.com/vil/content/v_125009.htm
http://vil.nai.com/vil/content/v_125012.htm

4.3 Trendmicro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B

4.4 eEye Digital Security
http://www.eeye.com/html/Research/Advisories/AD20040413C.html
http://www.eeye.com/html/Research/Advisories/AD20040501.html