Sasser Internet Worm is Spreading
This new threat can spread to your computer without e-mail by exploiting another critical security vulnerability in versions of Microsoft Windows 2000 and XP.
How can you tell if your computer is infected with the W32.Sasser.worm? Unfortunately you may see a dialog box with text that refers to LSASS.exe, or no symptoms at all. Others whose PCs are not infected may experience problems because the worm is attempting to attack their computer, and typical symptoms of that condition may include the computers rebooting every few minutes without user input.
Microsoft teams are investigating reports of this worm and its variants, and have verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue addressed in the Microsoft Security Update MS04-011 (KB835732) on April 13, 2004 (see www.microsoft.com/security/security_bulletins/200404_windows.asp).
What actually happens is that the worm copies itself to the Windows folder with the filename avserve.exe and sets the following registry key to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Then the worm attempts to connect out on port TCP/9996 and TCP/445 and exploit the LSASS vulnerability. An FTP script is then downloaded and executed which connects back on port 5554 to download a copy of the worm via FTP.
To remove Sasser and its variants from your computer, you should do the following:
Enable a Firewall
First, enable a firewall on the affected computer. Before you take other steps, make sure you have a firewall activated to help protect your computer against this kind of infection. If your computer has been infected, activating firewall software first will help limit the effects of the worm on your computer. There is a comprehensive guide to installing and enabling a firewall on the Microsoft “Protect Your PC” site at www.microsoft.com/security/protect/.
Then disconnect the computer from the Internet and restart the computer. If you have problems rebooting, reboot in safe mode. Do all of the following steps in this order to find and end the tasks related to the worm and remove them.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Install the Required Update
Now you can connect the computer to the Internet again to go to the Windows Update site (windowsupdate.microsoft.com/), and click the Scan for Updates button. Download and install the critical updates recommended after the scan.
To protect your computer against the Sasser worm and its variants, you must specifically download and install the Microsoft Security Update MS04-011 from www.microsoft.com/security/security_bulletins/200404_windows.asp.
Microsoft provides a tool to test Windows 2000 or Windows XP to search your hard drive for and try to remove the Sasser worm and its variants (KB841720). You can download it manually from www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en or click “Check My PC for Infection”on the www.microsoft.com/security/incident/sasser.asp page.
Important! To use this tool, you must have already installed the MS04-011 update. That’s a little tricky if you’re already infected, so you must follow these steps carefully.
To protect against this worm on systems that have not been infected, go to www.microsoft.com/technet/security/bulletin/ms04-011.mspx and install the Microsoft Security Update MS04-011 immediately. If you have a computer with Windows XP and have enabled the Windows XP Firewall or a third-party (software or hardware) firewall on any Windows OS, Microsoft says that you should be protected from attacks by this worm.
However, if you don’t have a firewall set up, go to the interactive page at www.microsoft.com/security/protect/ to view the specific steps and recommendations for your operating system, and make your computer more resistant to this type of attack when connecting to the Internet.
Check for other problems
Another tool from Microsoft is the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 runs on Windows 2000 and XP with either a graphical or command line interface that can perform local or remote scans of Windows systems. The tool will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS), SQL Server, Internet Explorer, and Office. MBSA 1.2 will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS, SQL Server, IE, Exchange Server, Windows Media Player, Microsoft Data Access Components (MDAC), MSXML, Microsoft Virtual Machine, Commerce Server, Content Management Server, BizTalk Server, Host Integration Server, and Office. The MBSA can be found at download.microsoft.com/download/d/7/5/d757ff81-4f97-4a6d-a9d8-edea72363aa8/MBSASetup-en.msi.
Don’t let your guard down, this is a never-ending problem.
Beverly Rosenbaum, a HAL-PC member, is a 1999 and 2000 Houston Press Club “Excellence in Journalism” award winner. She can be reached at firstname.lastname@example.org.