Skip to main content

W32.Sasser Worm Fix Information

More
20 years 6 months ago #3604 by sahirh
Yep we all have to use LSASS... it is the Windows security subsystem.. or more accurately the Local Security Authority Service which handles all your Windows logons... without it Windows cannot work, which is why the machine crashes when LSASS fails. Windows autoshutsdown because it does not want to run without the security subsystem.

The vulnerability can actually be targetted in a number of ways.. anytime that a userlogon or similar authentication procedure is required.. LSASS gets called. In the case of the Sasser worm, it targets the vulnerability by going after port 445.. which as we should all know is Microsofts implementation of SMB directly over TCP/IP. Since Win2k Microsoft has run SMB over TCP/IP.. for what we call file sharing.. and what was earlier run over NetBIOS on the famous ports 137, 138, 139.

I haven't really given that much of a look at the vulnerability, but if I'm not mistaken I think its the same one as the ASN.1 exploit that came out earlier.. that exploit merely bumped off LSASS causing it to crash... this is just that exploit with a propagation mechanism attached and an exploit that allows the attacker to actually transfer the worm across to the target system (I believe it has to do this within 60 seconds.. Because thats how long the system will remain up after the exploit crashes LSASS.EXE ?).

Anyway I got a copy of the worm.. from none other than Chris (who's enjoying the pleasures of automatic shutdown everytime he connects lol). I didn't really start doing much work on it last night.. but maybe today I'll go take a look.

There.. thats your Sasser Worm 101. :)

Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
More
20 years 6 months ago #3614 by Neon
I was looking for a copy of the virus to give to you but Chris bet me to it :)

Looking at what makes viruses tick is always an interest I’ve had but I never got around to doing more of it! Tell me what you find interesting :D

The only virus that I actually got is that love bug virus… mainly because I can actually read it and understand what its doing. I never really gave programming a big step only visual basic and the real OLD original basic...

10 Home
20 Sweet
30 GOTO 10
(I stole that from Futurama) :wink:
Time to create page: 0.116 seconds