Quote:
Originally posted by sandt38@May 13 2004, 10:32 AM
Mine is an interesting variant in that it will not allow a keystroke. I am offered no warning, just an immediate shutdown. My anti-virus and firewall were both updated the day before it surfaced in my computer, so they were useless. When the computer stays booted for a few minutes I can see both my firewalls and both my anti-virus have been disabled. A note, I use ME. While it is indicated that ME and older OS are not affected, it seems to be a fairly common belief that MS just doesn't want to create a patch and offer support for OS platforms they are no longer selling... let's save money at the customers expense 
Unfortunately, being the moron I am, I continued to start the computer and drive it deeper into the drive. Everytime I started the computer it degenerated more.
Downloading the repair would be great if:
1) I could get online with the computer and
2) If MS would admit older systems are affected and create a repair patch of ME OSs
|
well it is not MS that need to admit it in reality
MS never admits anything until the security compaines put it out there
the lsass vularablity would not have been admitted by MS direction until Sasser came out to the begin with
However, I would Highly Advice Upgrading or DOWNGRADING from ME, ME in by FAR the worst windwos version out
98 was ALOT better
2000 was better yet
XP is ok if your system has the Resources to pull it off
also how did you come to know it was sasser?????
it does not really sound like sasser
here is what that worm does
When W32.Sasser.F.Worm runs, it does the following:
1. Attempts to create a mutex named billgate and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.
2. Copies itself as %Windir%\napatch.exe.
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
3. Adds the value:
"napatch.exe"="%Windir%\napatch.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
so that the worm runs when you start Windows.
4. Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer.
5. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
6. Retrieves the IP addresses of the infected computer, using the Windows API, gethostbyname.
Note: The worm will ignore any of the following IP addresses:
* 127.0.0.1
* 10.x.x.x
* 172.16.x.x - 172.31.x.x (inclusive)
* 192.168.x.x
* 169.254.x.x
7. Generates another IP address, based on one of the IP addresses retrieved from the infected computer.
* 25% of the time, the last two octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, C and D will be random.
* 23% of the time, the last three octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, B, C, and D will be random.
* 52% of the time, the IP address is completely random.
Notes:
* Because the worm creates completely random addresses 52% of the time, any IP address can be infected, including those ignored in step 6.
* This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.
8. Connects to the generated IP address on TCP port 445 to determine whether a remote computer is online.
9. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.
10. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.
11. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.
12. Creates a file at C:\win2.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.
Linear Mode
