Sasser Worm Information

That YOU can STOP yourself being hit if you ACT NOW!

The Sasser Worm - What Is It?

Let's take a moment to look at what this new worm does and then we shall look at
how you can protect yourself from the Sasser Worm!

# First of all who exactly is affected?

Products Affected by The Sasser Worm

Microsoft Windows XP and Windows XP Service Pack 1

Windows 2000 Service Pack 2
Windows 2000 Service Pack 3
Windows 2000 Service Pack 4

Products Not Affected by The Sasser Worm

Windows XP 64-Bit Edition Version 2003
Windows Server™ 2003
Windows XP 64-Bit Edition Service Pack 1
Windows Millennium Edition
Windows 98 Second Edition
Windows 98
Windows NT 4.0 Service Pack 6a

# How is it causing problems?
Since early April 2004 Microsoft has made known a vulnerability and security patch for two of its operating systems regarding a buffer over run in the LSASS. What has happened, and to some extent is the msblaster history repeating itself, is that an automatic network worm has been written and released onto the Internet... But it is not just one single worm, there are reports of minor variants of the sasser worm being detected now.

This "sasser worm" is NOT spread by email though, and this is an important point to note!
Just like the msblaster worm it scans the Internet for connected PC's that have NOT been patched. In this case the sasser worm scans random IP addresses on TCP port 445. If it connects successfully, to an un-patched PC it then attempts to exploit the known "Microsoft Windows LSASS buffer overflow
vulnerability".

Once infected a file is created in the Windows directory called avserve.exe or avserve2.exe, depending on
the worm variant. (for example sasser.worm.A or sasser.worm.B etc.)
e.g.

Windows XP PC's = C:\Windows\avserve.exe
Windows 2000 PC's = C:\Winnt\avserve.exe
 

and the sasser worm also modifies the Registry to ensure that this file is executed at each
Windows start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avserve.exe

Once it has done this is will then attempt to infect other un-patched PC's over the Internet by
starting an FTP server on TCP port 5554. It creates random IP addresses to "probe" remotely
and can scan more than 200 addresses per second!!!

Some users may experience their system randomly shutting down with this dialogue box:


Others may encounter this LSA Shell dialogue box:

Both of these are an indication that you may be infected with the Sasser worm.
If your computer is vulnerable to the worm, the worm may cause LSASS.EXE to crash which will force the operating system to shutdown after 60 seconds. This shutdown can be aborted on Windows XP systems by using the built-in “shutdown.exe -a” command.
Type the following into the Run box on the Start Menu: shutdown -a
This shutdown can NOT be aborted on Windows 2000 systems.

On Windows 2000 systems, to prevent LSASS.EXE from crashing (thereby restarting the operating
system) unplug the network cable (or disable the network adapter before LSASS.EXE crashes) and
then perform any one of the following steps to prevent the worm from crashing LSASS.EXE:

Create a file called %systemroot%\debug\dcpromo.log and make the file read-only.

To do this, type the following command:

echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log

NOTE: This is the most effective mitigation technique as it completely mitigates this vulnerability by
causing the vulnerable code to never be executed. This work-around will work for packets sent to any
vulnerable port.

The Sasser Worm - How Can You Be Protected?

Essentially if you:

1) Have the relevant Microsoft patch installed :-
Microsoft Windows 2000 Service Pack 2, Service Pack 3, and Service Pack 4 – Download the update
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update

(NB - There are some known issues that can occur after installing the update more info here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;835732)

How can I verify that I already have the security update that protects
against the Sasser worm and its variants?

If the update is installed, it is displayed in the list of currently
installed programs on your computer. To check that list:

On the taskbar at the bottom of your screen, click Start, and then click
Control Panel.

Open Add or Remove Programs.

In the list of currently installed programs, look for a Windows entry that
contains 835732.

If the entry containing 835732 is present, the update is installed.

2) Are using an up to date Anti Virus product with current definitions...

3) Are using a personal firewall...

You are PROTECTED from the Sasser worm and its variants.

If you have been, or suspect you might be infected you can download this removal tool from
Microsoft:

Sasser.A and Sasser.B Worm Removal Tool (KB841720) (This tool will help to remove the Sasser.A and Sasser.B worms from infected machines.)

Or use the one provided by your Antivirus vendor if they have one available...

THEN get the Security Patch from Microsoft as detailed above and install it NOW! (The best approach of course is to use Windows Update on a regular basis...) Available from the Windows Update Web site If you have friends and family who use either Windows XP or Windows 2000 then PLEASE let them know about this new threat!

The InterVideo DVD XPack Plugin

(The above link not working? Click Here)