IT Employment

General discussion


Sasser worm

By Joseph Moore ·
Ok, so a worm exploiting the Windows problem in LSASS.EXE process (that was patch a couple weeks ago in MS04-011) is out, called Sasser. Here's the MS page on it:
The antivirus companies all have updates for it by now (3AM CST Sunday morning; can't sleep, so I thought I would read up on it). There are links and article popping up on it all over.
Just wanted to throw a heads up out there.
The current reports (again, at this late hour here) state that it's not spreading insanely fast (no Blater or -- even worse, Slammmer -- speeds), but it is moving around.
It attacks TCP port 445 (SMB port), so it is Win2K/XP/2K3 only. No 9x line, nor NT4. So, that alone will make its impact less than Blaster. But it's still moving out there.
I'm worried about work on Monday, those laptop users coming into the office in the morning, plugging in, bypassing the firewalls and virus scans and IDS egress filters, etc.
I don't expect to have a good day Monday.
This patch, MS04-011, has some documented problems (you can read about the problems here:, so I know my company has NOT rolled this patch out full-scale yet. My web servers are patched (due to the SSL vulnerability the patch also fixes), but that's about it.
Ok. Good luck to all! I hope you are more patched against this one then my machines are!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Thanks Joseph

by TheChas In reply to Sasser worm

Thanks for the heads up.

I thought it was a bit unusual to get a new virus definition update on a Saturday.

That must mean that the A-V companies consider this a fairly serious issue.

Hope you were able to get some rest.


Collapse -

Another Update

by TheChas In reply to Thanks Joseph

This MUST be serious!

McAfee just sent out another update to their AV software today.
On a Sunday!!

I may wait until mid-day to boot up my system at work tomorrow.


Collapse -

Joseph - you da' man

by maxwell edison In reply to Sasser worm

Thanks a bunch for this - and all the other "heads-ups" you give us. You are always on top of these kinds of things.

Collapse -

Now you tell me !

by Oz_Media In reply to Sasser worm

I just finished two full system restores in a row.
Ad it turned out after each restore, it would come back again, even while first installing and recognizing hardware.

I had Colin email me a copy of lsass because in the time I could actually boot and go onlie 1-5 minutes, I found it wasn't one of three wroms it was attributed to, and MSKB said you could replace the corrucpted lsass file from disk.

It turned out to be the hotels server/routers AGAIN, after their netadmin reset, everything was fine. (Had the front desk call the netadmin at home, that took some frustrating efforts too)

I needed to get a report and invoice done right away too so it was a rush issue, i got shut down just as I was posting to Tech Q&A so I didn't bother again.

Collapse -

Sorry Joseph

by Oz_Media In reply to Now you tell me !

I failed to thank you for passing on the information, I am patching now, THANKS!!!!

Collapse -

Sorry you had problems with it

by Joseph Moore In reply to Sorry Joseph

Oz, how bad was this one for you? Did your machines go into a constant reboot, or did they just reboot once, when the infection happened? I've read conflicting reports on this. Some say there is one reboot, when the worm hits you and infects you; you reboot, then stay up, but you are infected and the worm routing is running, scanning and trying to infect others.
And other posts are saying that they get stuck in a constant reboot cycle.
So, which did you experience?

Other then that, Symantec has version B of Sasser at a Category 4, which is the highest level they every put things at (Blaster, MyDoom, Slammer, CodeRed were all Cat 4).

And I read on F-Secure's site that they have a version C that will spawn over 1000 connection thread attempts when it looks for other machines to infect. Sasser A and B only spawn 100 threads for scanning/infecting other machines. With 1000 connection threads on version C, that's gonna bring down firewalls due to the sheer amount of traffic they are trying to filter.

Yes, and you all know this is just gonna get worse Monday (although I guess it's already Monday in Australia, HK, Japan, etc.)

BTW, I did finally get to sleep at a little past 4AM! Let's hope we all get some rest, for tomorrow will not be good, and we all need our rest!

Collapse -


by Oz_Media In reply to Sorry you had problems wi ...

Firstly, it was my stand alone laptop that I was trying to finish some work on before meeting a friend for a drink at the hotel.

Let's see, I was in the hotel before dinner and was watching a live feed from Fraser Downs, my triactor was looking good and the field was pacing as predicted when I got the 59 second shut down error. The race was 2:01 so I missed it! That's where I got pissed off.

SO I reboot, same thing after a few minutes. Some reboots lasted long enough for a quick Deja search and save to favorites. Then I'd reboot, hit favorites and search for my answer frantically. Sometimes it was during log on then it would be OK for 10 minutes.

I read about BLaster, didn;t sound right but i managed to run a BLaster fix which found nothing.

Another issue was related to service pack upgrades or the security level being change, not applicable (ooops reboot again).

After a while, I managed to find some info from MSKB about renaming and extracting the original lsass.exe from the Win disk. My backup was at home and my copy of Win2K was there also, (this machine only has a restore option from the partition so I have a burned Win2K disk for such file extraction needs).

I managed to get an emial out to Colin asking for the file but without being able to stay online it is hard to continuously check email especially from somewhere 8 hours ahead, thank god Colin's a night owl.

Needing to get work done NOW, I performed (the computer did anyway) a complete rebuild and I was onine in 30 minutes. As the drivers were being installed by the setup program, it asks to go online and check IBM for the latest, at that point the error started again.

Once again, I reformatted and restored,as it wasn't properly setup. This time all the preinstalled drivers went in fine and I didn't log in to update. All was fine whil I got my work done and I went online again to send it to my client, as I pressed send, the 59 seconds started again (NOTE: Colin HAD replied in this time already but it was too late and he could only find some XP files that probably wouldn't have worked but I had given up before then anyhow, THANKS AGAIN COLIN!!).

I called the reception desk and the night guy, who probably didn't know how to change the channels on the TV he was glued to put up a bit of a fight but eventually called the manager and had him contact their IT guy, (I went to the bar).

On the way back up to my room, the fellow at the desk pulled his attention from his TV long enough to tell me that the IT guy had found a problem in their server that was tracking usage and performing the SMDR for the CDR call accounting system, so he rebppoted his server and routers and all seemed OK. I assume it had been hit by this worm and he will probably be fixing it now if it is reinfected already.

As for myself, everything is working well EXCEPT micrsoft. First I could get to the patch description but not the file. THen I couldn't get to the KB articles at all and now even the homepage won't work. Have they been hit too even though they know about the vulnerability or are they just being hammered by users trying to patch?

If anyone's got this file on disk I'd appreciate a copy by email ( ) but if not, I'll just hope for the best and wait.

It seems to be a relatively simple single key regedit if you are hit now anyway.

Collapse -


by mrafrohead In reply to Sorry you had problems wi ...

There is a reg entry that is created when the virus infects your box to abstain from rebooting. Your machine should not start to reboot itself once you are infected. It should just try to keep sending information and infect other machines.

Collapse -


by mrafrohead In reply to Reboots

Alright, I guess I'm spoon feading y'all garbage...

Here's a quote from Wired:

"When a machine is infected, error messages may appear and the computer may reboot repeatedly."

So, I still stand by my comment, there's code there to keep it from rebooting, BUT Windoze was coded to work, and it doesn't always, so I guess I have to reneg on my previous post.

Sorry for the missinformation.

Collapse -

Actually you are right

by Oz_Media In reply to Egad

There is an entry to DISABLE the user from shutting down or rebooting.
By showing a damaged lass.exe file the system doesn't see the user as having sufficient rights to reboot.

The registry entry you spoke of is a VERY simple singkle-key delete that resolves the issue.

Unfortunately, when I was infected I was still in a hotel, and it was THEIR server that was screwed.

At this point, nobody had posted the fix or removal tools or even an up to date signature.

As it was a reasonably fresh system boot, the MSKB was not yet offering the patch in Windows update but only through a separate KB download.

"What a difference a day makes!!" ONE FREAKIN' DAY!!!!! "24 stinkin' little hours!!"


But things are running like a well oiled machine now, (bad term for computers I suppose).

I also have a desktop, I JUST upped to Win2K.
Everything went SO well and worked SO fantastic. Somewhere in the MS updates, it has picked up an intermittent stack dump.

I have disabled the system reboot but haven't seen the error again yet for debugging.

Oh well, that's Microsnot for ya.

Related Discussions

Related Forums