Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


MS04-011 Sasser.E (new ports 1022 and 1023)

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:04:55 AM

Posted 09 May 2004 - 05:43 AM

These high numbered ports should already be blocked in the firewall rules, but companies still applying the MS04-011 patch should verify this.

MS04-011 Sasser.E (new ports 1022 and 1023)

W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011 and spreads by scanning randomly selected IP addresses for vulnerable systems. W32.Sasser.E.Worm differs from W32.Sasser.Worm as follows:

* Uses a different mutex: SkynetNotice.
* Uses a different file name: lsasss.exe.
* Creates a different value in the registry: "lsasss.exe".
* Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
* After 2 hours of running it displays a message.
* It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
* The name of the file retrieved from the FTP server is followed by _update.exe.
* The worm logs data into the file C:\ftplog.txt.


Posted Image

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users