| View previous topic :: View next topic |
| Author |
Message |
Chachazz
Update Expert
Joined: 08 Apr 2004
Last Visit: 07 May 2008
Posts: 376
|
|
| Back to top |
|
 |
Chachazz
Update Expert
Joined: 08 Apr 2004
Last Visit: 07 May 2008
Posts: 376
|
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
nomorespyware
Warrior Sleuth Expert
Joined: 19 Jan 2004
Last Visit: 04 Feb 2007
Posts: 219
|
 Posted: Mon May 03, 2004 6:01 am Post subject: How does it work? |
 |
|
http://www.cnn.com/2004/TECH/internet/05/03/sasser.worm.reut/index.html
| Quote: |
| The worm does not need to be activated by double-clicking on an attachment, and can strike even if no one is using the PC at the time. When a machine is infected, error messages may appear and the computer may reboot repeatedly. |
I guess I don't understand exactly how it infects if no one is even using the computer at the time. |
|
| Back to top |
|
|
Chachazz
Update Expert
Joined: 08 Apr 2004
Last Visit: 07 May 2008
Posts: 376
|
|
| Back to top |
|
|
Chachazz
Update Expert
Joined: 08 Apr 2004
Last Visit: 07 May 2008
Posts: 376
|
| Posted: Mon May 03, 2004 12:12 pm Post subject: |
|
|
Differences in Sasser A-B-C-D variants
Differences between variant A and B were changes to the code to implement a psuedo-forking mechanism when exploiting hosts. Variant C changed the number of scanning threads to 1024 instead of 128. Variant D changed the number of scanning threads back to 128 and implemented a ICMPSendEcho API call prior to connecting to a host via TCP in order to speed up scanning (much in the same way the Welchia worm does). Due to a bug, the D variant does not appear to run on Windows 2000, so an E variant may be forthcoming shortly.
http://www.lurhq.com/sasser.html
Credit to psloss(member) at BBR
_________________
Chachazz
Gladiator Security | Member A.S.A.P. |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
linc
Warrior
Joined: 18 Feb 2004
Last Visit: 22 Dec 2006
Posts: 104
Location: uk
|
| Posted: Tue May 04, 2004 11:25 am Post subject: |
|
|
It might be a poorly written worm,
but it knocked out the national lifeboats computers, here in the UK
It's about time these people realised what trouble they cause, pity the writer of this wasn't in trouble at sea this morning.
about time they got a life.
_________________
I'm not worried by insanity--I enjoy every minute of it
URL=http://img74.echo.cx/my.php?image=installdisk3nr.jpg] [/URL] |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
| Posted: Tue May 04, 2004 9:15 pm Post subject: |
|
|
by Paul Thurrott, thurrott@winnetmag.com
New Worm Threatens to Be the Next Slammer
A new Internet worm that exploits a software vulnerability revealed
in Microsoft's April 2004 monthly security patch is threatening to
become the next high-volume attack on Windows-based systems. Security
experts warn that the Sasser worm could affect millions of Windows
computers by the time it peaks sometime Monday because these types of
attacks typically pick up steam when the workweek begins. For the
complete story, visit the following URL:
http://www.winnetmag.com/article/articleid/42523/42523.html
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
|
| Back to top |
|
|
nomorespyware
Warrior Sleuth Expert
Joined: 19 Jan 2004
Last Visit: 04 Feb 2007
Posts: 219
|
| Posted: Wed May 05, 2004 5:47 am Post subject: Something alarming |
|
|
I receive several emails a day from my website to my Yahoo account, people infected with some nuisance and asking for help in getting rid of it. The account also receives it's fair share of spam email which has always been easy to recognize and delete without opening.
However, recently I've been receiving an alarming rate of emails obviously from people who need help with subject lines like "help, SpyDeleter has taken over my machine" or "need help with messagebroadcaster", yet these emails are coming in with attachments. I'm afraid to open them and wonder if they're carrying this worm or something similar.
I hate to turn my back on someone in need, yet don't want to be infected by opening a bad email. I would say about 1/3 of the legitimate emails I'm now receiving show attachments. I'm hearing that this worm can launch itself just by opening an email even if you don't click on the attachment. Any suggestions? |
|
| Back to top |
|
|
suzi
Site Admin
Joined: 27 Jul 2003
Last Visit: 21 May 2013
Posts: 10271
Location: sunny California
|
| Posted: Wed May 05, 2004 7:36 am Post subject: |
|
|
I've had same thing happen a few time. I emailed the person back and told them not to send me email with attachments because I would not open the email. If they legitimately need help, they will email you back without attachments.
In my case, people have emailed attachments with HJT logs a few times. But I do not open them.
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn.  |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
| Posted: Wed May 05, 2004 7:48 am Post subject: |
|
|
hello
i have the mail virus problem under control. if i have strange email. i open them up on the linux machine see exactly what they are and what they do.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
| Posted: Wed May 05, 2004 9:07 am Post subject: |
|
|
Of course, all the companies that provide preventive measures,
including makers of antivirus software and Intrusion Detection
Systems, are updating their tools to provide protection. Some have
also provided removal tools in case your systems have become infected
by the Sasser worm variants. If your systems have become infected and
you need quick help removing worms, check with your antivirus vendor
to determine whether it's released Sasser removal tools.
Microsoft has released a bulletin regarding the Sasser worm as well as
a tool that helps with worm removal. You can find it at the first URL
below. If you need help with worm removal, remember that Microsoft
provides free support for security matters. United States and Canadian
residents can reach the company toll free at 866-727-2338, or anyone
can go to the second URL below and click the "Send us an online
request for support" link.
http://www.microsoft.com/downloads/details.aspx?familyid=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17&displaylang=en
http://www.microsoft.com/security/protect/support.asp
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
Chachazz
Update Expert
Joined: 08 Apr 2004
Last Visit: 07 May 2008
Posts: 376
|
|
| Back to top |
|
|
wawadave
Warrior Obsessed
Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum
|
| Posted: Thu May 06, 2004 7:38 am Post subject: |
|
|
The new Sasser.D worm aggravates the epidemic
that is sweeping across the Internet -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)
Madrid, May 03 2004 - PandaLabs has detected the appearance of a new variant
of the Sasser worm (Sasser.D) -very similar to its predecessors- which,
according to the data gathered by the multinational's International Alerts
Network, has started to cause incidents.
In order to combat the effects of the epidemic triggered by the variants of
the Sasser worm, Panda Software has made two new PQRemove utilities
available to all users. These applications can clean infected computers and
restore the configuration computers had prior to the worm's attack.
The first PQRemove is specific for networks and removes Sasser and all of
its variants from any network that could have been affected. You can
download at: http://www.pandasoftware.com/support/
The second PQRemove application cleans every computer that could have been
attacked by Sasser.D. You can download at:
http://www.pandasoftware.com/download/utilities/
Far from receding, the global epidemic unleashed by Sasser and its variants
is expanding progressively. As expected, the number of companies whose
network has been affected by these dangerous worms is increasing. According
to The Daily Telegraph, Sydney's railway radio communication network has
been seriously affected by a computer virus. Besides, some 300 million
computers worldwide are vulnerable to attack by the Sasser worm, which gives
an idea of the potential scale of the threat.
There can be no doubt about the intentions of the creators of these worms:
to put as many viruses as possible in circulation in order to multiply the
probability of infection. Luis Corrons, head of PandaLabs warns of the
threat: "New variants of Sasser will continue to appear in the next few
hours, and it will be necessary to be protected. To ensure this, users
should install the Microsoft patch that corrects the vulnerability exploited
by Sasser".
Panda Software informs users that the new worms can be detected and
disinfected with an up-to-date antivirus, but it is important to install the
Microsoft patch to ensure that Sasser.A doesn't re-infect computers. The
vulnerability exploited by this worm was reported by Microsoft recently in
bulletin MS04-011
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx), along
with the patch. Panda Software has made the updates necessary to its
products available to clients.
Panda Software's online support center
(http://www.pandasoftware.com/support/) also offers help to users.
Panda Software clients can update their antivirus through the applications
installed on their computers.
In addition, the users can scan their computers on line for free with the
ActiveScan solution, available in the company web page
http://www.pandasoftware.com.
More information about these and other IT threats is available from
http://www.pandasoftware.com/virus_info/encyclopedia/
NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.
------------------------------------------------------------
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd |
|
| Back to top |
|
|
|
