Sasser.a and Sasser.b prevention and cure

ALERT: The Sasser.a and Sasser.b worms will crash vulnerable Windows 2000 and Windows XP machines.

By Robert Vamosi

(May 3, 2004)

Sasser and its variations are network-aware worms that do not require e-mail or user interaction to spread. The worms use a bootstrap effect by infecting new machines first, then downloading the full code from a previously infected machine. Sasser (w32.sasser.a) and Sasser.b (w32.sasser.b) are both 15,872 bytes long, and they randomly scan local networks and the Internet to look for additional systems to infect. This scanning could slow normal traffic on the Internet. Vulnerable systems include Windows 2000 and Windows XP that have not had the Microsoft Security Bulletin patch MS04-011 installed and that are not running desktop firewall software. Sasser does not affect any other version of Windows, nor Linux, Unix, Mac OS, or any other operating system. Because Sasser and its variations spread via the Internet and allow remote users to access your PC, this worm rates a 7 on the CNET/ZDNet Virus Meter.

More on Sasser Outbreak
Prevention and cure
Over 500,000 infections
Possibly penned by NetSky author
Microsoft on how to prevent infection

How it works
Sasser takes advantage of a buffer-overrun flaw in the Local Security Authority Subsystem (LSASS), which allows an attacker to gain control of infected systems. Microsoft patched the flaw with MS04-011 on April 13.

Sasser adds a copy of itself to the Windows directory under the name:



It adds the following to the system Registry file:

Sasser.a: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve.exe = c:\Windows\avserve.exe

Sasser.b: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve2.exe = c:\Windows\avserve2.exe

This change to the Registry allows the worm to run once the machine reboots.

Sasser starts an FTP server on TCP port 5554. Meanwhile, it uses TCP port 445 to search random chunks of the Internet for additional Windows 2000 and Windows XP that have not patched the LSASS flaw. Sasser launches 128 threads to scan the random IP addresses and listens on successive ports starting with TCP port 1068. Microsoft reports that the worms also use TCP port 139 as well. Ports 139 and 445 are both used by the Windows file-sharing protocol.

If the Sasser worm finds a vulnerable machine on a local network or the Internet, the worm sends a specially crafted packet to cause a buffer-overflow in lsass.exe. The overflow contains instructions in a script file, cmd.ftp, on the newly infected machine to open TCP port 9996 and instructions to download a copy of itself from TCP port 5554 on the previously infected machine as

[some random number]_up.exe.

The file cmd.ftp is then erased. Sasser.a creates a win.log in the root directory of the newly infected machine that contains the number of remote systems currently infected and the IP address of the last infected system. Sasser.b creates a file called win2.log.

Microsoft has created a special page on how to prevent a Sasser infection. Basically, a desktop firewall should protect vulnerable systems until the Microsoft security patch can be downloaded. If you do not have a personal firewall, you should install one first to limit the effects of the Sasser worm. The Microsoft security patch MS04-011 is available here.

Most antivirus-software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. However, simply removing the Sasser worm infection is not enough; an infected system will remain vulnerable to attack until the LSASS vulnerability itself has been patched.

For more information on Sasser.a, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

For more information on Sasser.b, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

Read the latest coverage here.