Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS04-011 Sasser.E (new ports 1022 and 1023)


  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:09:40 PM

Posted 09 May 2004 - 05:43 AM

These high numbered ports should already be blocked in the firewall rules, but companies still applying the MS04-011 patch should verify this.

MS04-011 Sasser.E (new ports 1022 and 1023)
http://secunia.com/virus_information/9263/sasser.e/
http://vil.nai.com/vil/content/v_125091.htm
http://www.trendmicro.com/vinfo/virusencyc...e=WORM_SASSER.E
http://www.symantec.com/avcenter/venc/data...ser.e.worm.html
http://www.f-secure.com/v-descs/sasser_e.shtml

W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011 and spreads by scanning randomly selected IP addresses for vulnerable systems. W32.Sasser.E.Worm differs from W32.Sasser.Worm as follows:

* Uses a different mutex: SkynetNotice.
* Uses a different file name: lsasss.exe.
* Creates a different value in the registry: "lsasss.exe".
* Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
* After 2 hours of running it displays a message.
* It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
* The name of the file retrieved from the FTP server is followed by _update.exe.
* The worm logs data into the file C:\ftplog.txt.

SIGNS OF INFECTION

Posted Image

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users