This worm uses an exploit of lssas.exe

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B
"Virus type: Worm

Destructive: No

Aliases: W32/Sasser.worm.b, W32.Sasser.B.Worm, W32/Sasser.B

Pattern file needed: 883 (1.883.00)OPR

Scan engine needed: 6.500

Overall risk rating: High

--------------------------------------------------------------------------------

Reported infections: High

Damage Potential: High

Distribution Potential: High



--------------------------------------------------------------------------------

Description:



As of May 2, 2004 10:07 PM (PST), TrendLabs has declared a Red alert to control the spread of this malware. Several infection reports have been received indicating that this worm is spreading across the globe.

This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of affected systems. This vulnerability is discussed in detail in the following pages:

MS04-011_MICROSOFT_WINDOWS
Microsoft Security Bulletin MS04-011
To propagate, this worm sends a specially-crafted packet to TCP port 445 of random IP addresses. However it skips certain RFC 1918-reserved addresses. The packet causes a buffer overrun on vulnerable systems, which results in the execution of a remote shell that opens port 9996. This worm commands the remote shell to download its copy from the original infected source via port 5554 using FTP.

Important: Trend Micro advises users to apply the critical patch related to the Windows LSASS vulnerability, which is available at the following Microsoft page:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Solution:



Important: Users of Trend Micro PC-cillin Internet Security and Network VirusWall should check if their products have updated to CFW/NVP pattern 10125 or later.

BLOCKING of PORTS

Users and administrators are strongly advised to block TCP ports 5554 and 9996 to prevent the transfer of the SASSER worm from infected systems to unpatched machines.

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please use the Trend Micro Damage Cleanup Services. Download the tool from the following link:

http://www.trendmicro.com/download/dcs.asp
MANUAL REMOVAL INSTRUCTIONS

Note: The following two procedures apply to Windows NT, 2000, and XP systems. For systems running Windows 95, 98, and ME, please proceed to the section Restarting in Safe Mode.

Identifying the Malware Program (For Windows NT, 2000, and XP only)

To remove this malware, first identify the malware program.


Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_SASSER.B.
Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner.

Terminating the Malware Program (For Windows NT, 2000, and XP only)

This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

Open Windows Task Manager, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file(s) detected earlier.
Select one of the detected files, then press the End Process button.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager. "

I read about this earlier today on MSNBC. "The current worm does not need to be activated by double-clicking on an attachment, and can strike even if no one is using the PC at the time. When a machine is infected, error messages may appear and the computer may reboot repeatedly."

Here's the link: http://www.msnbc.msn.com/id/4890780/

i got SASSER.C yesterday somehow ..

Here's one other quote from the msnbc story that might be helpful: "F-Secure said the worm emerged 18 days after Microsoft posted a corrective-code software patch on its Web site. This continues a common pattern with viruses whereby firms announce flaws in their software and hackers race to exploit them.

For home computer users, people should make sure they have downloaded the patch from Microsoft to fix the breach. If their computer is infected, must first be downloaded before the virus is removed or else the PC could catch the worm again."

I think a friend of mine was getting this...

I also have been infected with this, but I downloaded updates and have yet to experience any symptoms.

Of course, this is my old pc, which is no longer my primary computer.

I knew that lsass.exe was exploitable and I had been dreading someone finding the exploit...

my problem is I decided I would not download any more M$ updates/patches, and so I locked down the ports it uses....

I'm glad I'm on Linux

I think I've got it, but I was planning on formatting this week and starting over with better security anyway.

I've got some spyware that seems that I just cant rid myself of.

That's odd. Nowhere on msn.com did they mention switching to Linux as a possible solution

Off-topic: JohnnyBB, Norton AV does a good job of detecting spyware and virii. Try Ad-aware, Search & Destroy or Pest Patrol. You can also grab HijackThis which will analyze and display a list that you can then post to forums for expert advice.

On-topic: I've not see this worm yet, but Netsky still seems quite rampant. There's another pest that's quite common that issues scans of specific ports. Last month my firewall would log about twenty an hour (3127, 80, 5000 are a few of the ports).

Sherm..see the post I did on Bill Gates violating federal rules and being fine 800 grand!