New Worm Mimics Sasser, Exploits LSASS Vulnerability

The arrest of the alleged creator of the Sasser worms has not been accompanied by a lull in the momentum of computer viruses. PandaLabs has detected the appearance of a new worm, Cycle.A W32/Cycle.A.worm) which, like Sasser and its variants, exploits the LSASS vulnerability affecting some Windows versions in order to infect computers through the Internet.

The scenario has changed, however, as indicated by the text found inside the virus code. In this text, the virus creator--alias Cyclone--claims to be Iranian and refers to the social and political situation in his country. The entire content of this message can be read in Panda Software's Virus Encyclopedia here.

Cycle.A tries to enter computers through communications port TCP45 in order to check if the system is vulnerable. If it is, the worm causes the affected computer to download a copy of itself called CYCLONE.EXE. However, this will only take place if the application TFTP.EXE is installed on the system.

Additionally, and regardless of whether the worm has managed to copy itself to the targeted computer, the attempt by the virus to enter the system causes a failure in the application LSASS.EXE which makes the computer restart every 60 seconds.

According a Panda Software spokesperson, the vendor is not surprised to see the creation of a new virus that exploits the LSASS vulnerability. The company believes, though, that real problem is that many people are in possession of the code needed to exploit this security hole and incorporate it into their creations. Panda Software officials believe it is very likely that new variants of Sasser and Cycle, as well as other malicious codes that can act like them, will appear in the future.

Meanwhile, the members of the Sasser worm family, including Sasser.E, the latest variant, continue to cause incidents on computers worldwide.

In order to prevent your computer from falling victim to Cycle.A, Sasser and its variants, or any other worm that exploits the LSASS vulnerability, it is necessary to install the Microsoft patch available from:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.

Panda Software also advises users to tighten security measures, ensure that they have a fully updated antivirus installed and keep themselves informed of any new viruses that could appear.

Symantec also issued an alert for W32.Cycle and reports that the worm attempts to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability. Technical details are at this Symantec page.

Latest Sasser Variant Scans Random IP Addresses to Spread

W32.Sasser.F.Worm is a variant of W32.Sasser.Worm. This worm attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems.

W32.Sasser.F.Worm differs from W32.Sasser.Worm as follows:

Technical details are at this Symantec page.

According to McAfee, W32/Sasser.worm.f is similar to W32/Sasser.worm.a. It has been repacked using PECompact and is proactively detected as Exploit-DcomRpc using engine 4.3.20 together with DATs 4288 and above. This detection requires the scanning of compressed executables to be enabled.

This variant differs from W32/Sasser.worm.a in the filename and registry keys it uses: the filename napatch.exe (74,752)

This self-executing worm spread by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)]

Unlike many recent worms, this virus does not spread via email. No user intervention is required to become infected or propagate the virus further. The worm works by instructing vulnerable systems to download and execute the viral code.

Note: Infected systems should install the Microsoft update here to be protected from the exploit used by this worm.

Trend Micro reports that Worm_Sasser.F exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system.

Unlike earlier variants, it drops its copy as NAPATCH.EXE and looks for the mutex, billgate.

To propagate, it scans the network for vulnerable systems. When it finds a vulnerable system, this malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.

It creates the script file CMD.FTP, which contains instructions for the vulnerable system to download and execute a copy of this malware from a remote infected system via port 5554 using FTP.

This worm can cause LSASS to crash and force Windows to restart. In this case, certain message boxes may also appear. View them and other information at this Trend Micro page.

IRC Trojan/Worm Establishes Channel to Remote Server for Intruder

W32/Agobot-QA is an IRC backdoor Trojan and network worm which establishes an IRC channel to a remote server in order to grant an intruder access to the compromised machine.

This worm will move itself into the Windows System32 folder under the filename SYSTEMC.EXE and may create the following registry entries so that it can execute automatically on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ SysStrt = systemc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ SysStrt = systemc.exe

The following registry branches will also be created:

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSTEM_START\ HKLM\SYSTEM\CurrentControlSet\Services\System Start\

W32/Agobot-QA may also attempt to collect email addresses from the Windows Address Book and send itself to these email addresses using its own SMTP engine with itself included as an executable attachment.

W32/Agobot-QA may attempt to terminate anti-virus and other security-related processes, in addition to other viruses, worms or Trojans. View some examples and other information at this Sophos page.

--Compiled by Esther Shein