Afternoon, All.

http://www.computing.net/windows2000/wwwboard/forum/57476.html
http://www.computing.net/security/wwwboard/forum/11377.html

Any ideas on how this trojan/virus/whatever propagates? I'd really like to know how it got onto my system.

Cheers,
Scronty
Posted on 2004-05-01 01:27:23 by Scronty
most likely a remote exploit, scronty. There are some services running on your system that you cannot shut down, and unfortunatley some of these listen on sockets without filtering source IP... The best thing you can do is get hold of a firewall, if you're on cable/DSL and have a decent router/modem, it shoud allow you to set up NAT/PAT - Network/Port Address Translation. With this, you can effectively block out any traffic that you haven't made rules for (of course it also does mean you'll have to set up rules for the server software you use, but this is a small price to pay).

This can be combined with a personal firewall so that network-using applications will be MD5'ed or SHA'ed to verify they haven't been tampered with, and - this a hardware firewall can't do - see which programs send outgoing traffic. But I wouldn't trust a PFW by itself, there are ways to piece them.
Posted on 2004-05-01 07:45:17 by f0dder
Posted on 2004-05-01 15:36:42 by Tola
"A worm, dubbed Sasser by antivirus firms, was spreading slowly throughout the Internet on Saturday, taking advantage of a vulnerability in unpatched Windows systems to infect new hosts."

"The creation of the worm didn't surprise the Internet's security community. Security experts widely predicted that a worm would soon start spreading using that particular flaw by exploiting a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS."

More: http://news.com.com/2100-7349_3-5203764.html?tag=nefd.top

http://www.microsoft.com/security/incident/sasser.asp
Posted on 2004-05-01 16:08:23 by Masmer
Dang thing got me good. I thought I had a virus at first, but then after a format and reinstall I was still getting Lsass.exe terminating unexpectedly. This worm will prolly be a record breaker.
Posted on 2004-05-02 07:42:23 by smurf
what? formating an reinstalling just due to this little worm?
oh well;

i gotta say, it's funny to play with that thing. i think it doesn't any harm but spreading all over the net. i've just got the (HUGE, man how can you make a patch that big?!) patch from micro$oft and thats it.
the worm was opening connections to everywhere...
Posted on 2004-05-02 08:27:07 by hartyl

i think it doesn't any harm but spreading all over the net.

Causing random reboots (because of shellcode?) is bad enough for me. You can lose work and such.


i've just got the (HUGE, man how can you make a patch that big?!) patch

Probably because they have to redistribute a couple of DLL's?
Posted on 2004-05-02 08:31:50 by f0dder

Causing random reboots (because of shellcode?) is bad enough for me. You can lose work and such.

Just curious, is it a payload or a bug?
Posted on 2004-05-03 17:51:49 by QvasiModo
I would guess it's a bug, it certainly was a bug in the original blaster worm. Seems like RPC related exploits are pretty sensitive :)
Posted on 2004-05-03 18:14:18 by f0dder
It dose cotain shellcode that listens on port 9996. If your computer is reachable so that it can be infected then chances are this port is reachable too meaning anyone can get a command prompt with system privalages.
Posted on 2004-05-03 22:32:08 by ENF
...which again is good reason why you should be firewalled and/or NAT'ed, and only forward specific ports to your computer.
Posted on 2004-05-04 01:16:13 by f0dder