Emergency Processing Report for Sasser Worm and its variants

Alva · Guest

Emergency Processing Report for Sasser Worm and its variants
(Version 1.3 11:30am May 7th, 2004 Upgrade for the tenth time)
Antiy Labs Cert

Ü AV Leach Pop Worm Killer (AVLpk) mini solution to Sasser
The program is a mini security solution which can detect, remove and immunize against the wild-list worms. It is developed by Antiy labs specially pointing to the pop worm viruses these days, such as Sasser. Not only can this program detect and remove multi-popular worms, but can always immunize from the worms with the mini-firewall inside. Therefore it can avoid the system collapse caused by the infection of Sasser and Blast.
This tool can buy customers enough time to download and install the patch, whose systems are attacked by viruses so frequently that cannot accomplish windows update. Especially, the immunity function also supplies a trusty protection to the customers who can't install the patch (e.g. some windows XP users).

Attention:
1. It may require users to restart system after removing the viruses.
2. It makes the users unable to visit other computers through My Network Places. If the visit is necessary, please cancel "starts immunity".
3. The program will update according to the development of the viruses.
4. The program can only detect and remove the viruses but cannot examine your system in all round, please download Antiy Ghostbusters which can supply trusty protection to your system.
Antiy Ghostbusters download link: http://www.antiy.net/ghostbusters/download.htm
AVLpk download addressĄGhttp://www.antiy.com/resource/freetools/avlpk.exe

Ü Situation introduction:
From the last ten days of Apr, 2004, Antiy Labs Cert found that the scan of the destination port 139, 445, 3127 increased through the VDS system we developed. Because the ports are the same as those of some Backdoor.Agobot (a kind of worm, named backdoor according to the earlier version.) variations occurred in Feb, only different in content, we concluded it a variation of Agobot. After that, Antiy Labs Cert has captured multi-variations such as Agobot.rr, and the .rr file harms largest. Since 25th Apr, it has severely affected some enterprise webs and Local telecom facilitators, even caused system collapse.
On May 1st 2004, VDS system appeared that the scanning to port 445 and an exploit alarm sharply increased. We analyzed itĄŚs a new kind of worm, and captured the sample through the honeypot, which named Worm.Win32.Sasser.
On May 2nd 2004, Antiy Labs Cert captured two variations of this worm. In the afternoon, Cert found that a mail virus sent mails in the name of Sasser killer. Through analyzing, we found itĄŚs the variation of a mail worm--netsky.
On May 3rd, Antiy Labs Cert captured a variation of Sasser.d through honeypot system.
On May 5th, Antiy Labs Cert received the worm pointed to MS SSL leaks made by a foreign virus organization. At present, it has not propagated in the network.
Because viruses such as Sasser seriously affected network resources and customer systems, and the further affection may cause, we specially write the emergency processing and preventing report.

Ü Virus data
Antiy Labs ASTS virus cards
Virus nameĄG Worm.Win32.Sasser.a
Virus typeĄG Worm of File type, propagates by leaks
Main file locationĄBfile nameĄG %Windir%\avserve.exe*
Main program sizeĄG 15872byte
Register primary keys
Ą@HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ą@Ą@"avserve.exe" = C:\WINDOWS\avserve.exe
Virus characteristics Service through Microsoft lsassĄ]Ą^
Transport activelyĄArun activelyĄAunable to infect filesĄAachieve running automatically through modifying the register.
Variation characteristics
*The virus also can create????_up.exe file in the directory %windir%system32ĄAfor remote procedure launch. This file is a copy of the virus itselfĄAbut doesnĄŚt run in local host.

Virus nameĄG Worm.Win32.Sasser.b
Virus type Worm of File Type, propagates by leaks, runs activelyĄAunable to infect files.
Main file locationĄBfile nameĄG %Windir%\avserve2.exe*
Main program sizeĄG 15872byte
Register primary keys
Ą@HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ą@Ą@"avserve.exe" = C:\WINDOWS\avserve2.exe
Virus characteristics Same with A
Variation characteristics Almost no difference with A , besides the adjustment of mutex nameĄBmain file name and register primary keys modification.

Virus nameĄG Worm.Win32.Sasser.c
Virus type Worm of File Type, propagates by leaks, runs activelyĄAunable to infect files
Main file locationĄBfile nameĄG %Windir%\avserve2.exe
Main program sizeĄG 15872byte
Register primary keys
Ą@HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ą@Ą@"avserve.exe" = C:\WINDOWS\avserve.exe
Virus characteristics Same with A
Variation characteristics Adjust scanning thread quantity from128 to 1024, so that the propagation ability can be increased, also the mutex changes.

Virus nameĄG Worm.Win32.Sasser.d
Virus type File Type worm, propagates by leaks, runs activelyĄAunable to infect files
Main file locationĄBfile nameĄG %Windir%\avserve.exe
Main program sizeĄG 16384byte
Register primary keys
Ą@HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run
"skynetave" = %WinDir%\skynetave.exe
Virus characteristics The variation is unsuccessfulĄAit can not run normally in mass of Windows 2000.

Virus nameĄG Backdoor.Agobot.Based
Virus type Worm of File type, have ten more variations, propagates by leaks and code cracking, runs actively, unable to infect files.
Main file locationĄBfile nameĄG Ą]Agobot.rrĄ^ %system%\ msiwin84.exe or Microsoft.exe
Ą]Agobot.rqĄ^%system%\wmiprvsw.exe
Have many variations, that canĄŚt array one by one.
Main program sizeĄG Agobot.rr ĄA15872byte
Agobot.rqĄA332800byte
register primary keys
Agobot.rr
Ą@Location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
or
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

named
"Microsoft Update"="msiwin84.exe"
or
"Microsoft Update"="Microsoft.exe"

Agobot.rq
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"System Updater Service=wmiprvsw.exe"

Virus characteristics Agobot appeared many variations in Apr, especially in the last days, rr and rq including are more harmful variations in Agobot family. It propagates by known leaks, and can crack the passwords. It can break down anti-virus software; even make visitors unable to enter anti-virus web sites through modifying the hosts.

Virus nameĄG I-Worm.Netsky.ad
Virus type E-mail Worm
Main file locationĄBfile nameĄG %Windir%\msiwin84.exe or Microsoft.exe
Main program sizeĄG 18432 byteĄ]main programĄ^
36864byteĄ]mail attachment fileĄ^
Register primary keysĄG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"wserver"="%Windir%\wserver.exe"
Virus characteristics ItĄŚs 30th variation of Netsky familyĄAthe main characteristic is that it uses a special instrument to pretend anti-virus tools to send letters, and the panic caused by Sasser. Synchronously, the worm accessories use the extended name of register file "cpl".
Virus nameĄG Worm.Win32. SSL
Virus type File Type worm, propagates by leaks, runs activelyĄAunable to infect files
Main file locationĄBfile nameĄG %Windir%\worm.exe
Main program sizeĄG 1107016byteĄ]rar sfx Self Extraction Directive fileĄ^
Register primary keysĄG
Not modify the register.
Virus characteristics A kind of worm propagates by MS SSL leaks, through rar Self Extraction Directive package, including scannerĄBexploit programĄBftp service program. After getting IP address by scanner, it causes target overflow by exploiting the relative leaksĄAand then creates a inverted link for transporting.

Ü Detection of the worm
1. For network AdministratorsĄBsecurity guard
a. Identify Sasser virus:
If a large amount portscans on port 445 can be detected in the network, it indicates Sasser virus.
b. Identify Backdoor.Agobot. Variation virus:
If a large amount of portscans on ports 80, 135, 139, 1025, 445, 2745, 3127, 6129 can be detected in the network; it indicates Backdoor.Agobot variation virus.
The VDS system developed by Harbin Institute of Technology and Antiy labs can detect and locate these viruses.

2. For Hostl users
Viruses can be detected by updating the virus database of the anti-virus soft wares.
Viruses can be identified by checking the viruse locating directories and the register primary keys in the virus cards.
Customers can use the commands and tools below for detection:
Through Netstat command, you can found whether the system has opened numbers of ports.
For identifying the virus programs, if you found there are a mass of ports opened with Antiy PortĄ]graphical interfaces toolĄ^or ApromanĄ]character interfaces toolĄ^, the program is probably the virus or other scanning type worms.
Antiy Port download addressĄG
http://www.antiy.com/resource/freetools/AntiyPorts.exe
Aproman download addressĄG
http://www.antiy.com/resource/freetools/AProMan.exe

3. Identify netsky.ad worm mail
mail subjectĄGEscalation
The virus names and mail address of anti-virus companies may change.
Attention: Any anti-virus corporation, including operation System Corporation, will not send customers executable programs directly, except the customer has contacted them.

4. Emergency Processing scheme

Ü Emergency processing solution
Enterprise users and telecom users, if having no operational needĄAmay block the ports 135, 139, 445, 1025, 3127, 6129
WhatĄŚs more, many companies and organizations gave alarms to Antiy Labs that all foreign IP addresses were not accessible. After active research we got to know that the IP addresses of these companies are totally forbidden by foreign countries, and we consider it may have a large flux suffering from the viruses attack.
So these companies should detect and remove the viruses actively.
Personal computer users can block the ports above by setting the firewall firstĄAand then run windows update through network.
NowĄAthe latest database of main Anti-virus products can detect and delete the virus.

Appendix: Antiy Ghostbusters
Antiy labs has developed the integrated security solution--Antiy Ghostbusters, including virus detection and remove to viruses, security diagnostic tools and mini firewall. AGB3 Chinese Edition and AGB4 English Edition always supply undated trial version for customersĄAand you can update your database and firewall with no limitation.
Antiy Ghostbusters download address as follows:
AGB 4 English Standard Edition
http://www.antiy.net/download/agb4s.exe

AGB 4 English Professional Edition
http://www.antiy.net/download/agb4p.exe

AGB 4 English Advanced Edition
http://www.antiy.net/download/agb4a.exe

In order to clean the viruses in the system as soon as possible and reduce the threats they bring,
Antiy provides:

AGB 4.0 English Edition full functional 30 days limited registered files download:
http://www.antiy.net/ghostbusters/key/certlse.alf

After the registered files expireĄAit wonĄŚt affect the update of database and the use of firewall, but it can detect the viruses only.

The customers, who have installed AGB4, can prevent the attack by modifying the firewall rules. At the same time, customers can download and copy the modified rule file of firewall we supplied to cover the former file, which can prevent the attacking of Backdoor.Agobot and Sasser worms.
Attention: Blocking system ports (139/445) may affect the customersĄŚ normal use to these servers. If you are sure that you want to use the servers of these ports, please update your system patch and modify the firewall rules according to your own situation.

Rule file of firewall download address:
http://www.antiy.com/update/firewall/firewall.dat

If you find the Trojans and worms which AGB canĄŚt detectĄAplease send the sample to

WeĄŚll supply technical support within 24 hours.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 885 pages served in previous 5 minutes. Page Rendered: 0.395 seconds.