What you need to know about the Sasser worm

Discussion in 'Computer Security' started by Bottom Line Computer, May 24, 2004.

  1. The Sasser worm - what you need to know

    http://www.microsoft.com/security/incident/sasser.asp What Microsoft says about Sasser...

    The Sasser worms exploits a vulnerability in Microsoft operating systems Windows XP and Windows 2000, known as the LSASS vulnerability.

    Micrrosoft acknowledges this vulnerability in the critical security bulletin
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx MS04-011 .

    Microsoft has a patch for the vulnerability, called security update 835732.

    What else you need you know...

    The real danger is not Sasser itself, but http://news.com.com/2100-7349_3-5204667.html?tag=nl variants of Sasser , which exploit the same LSASS vulnerability.

    This worm does not propagate by email or by malicious scripts on Web sites.
    You can get this worm without doing anything at all.
    As long as your computer is running and connected to the Internet, it can get infected.

    LSASS is on TCP port 445. Sasser can also propagate through port 139. If you have a firewall, and set it to block ports 139 and 445, you may be safe. But just to be sure, you should probably install the patch as well.

    Even aside from this, it's a good idea to block port 445 anyway. This port can be used for a http://www.vnunet.com/News/1131065 denial of service attack .

    Ports 139 and 445 are used by Microsoft's http://ntsecurity.nu/papers/port445/ file sharing . If you have a home or small office network, and want to use Microsoft's file sharing, then you need to allow traffic on these ports on your local network. But be sure to block it at the firewall to the Internet. Always block traffic on these ports from the Internet.

    How can http://www.securityspace.com/smysecure/catid.html?id=12219 know if you're infected? If your system has Sasser, it will have TCP port 5554 open, and also either port 9995 or 9996.

    How can you get rid of it if you're infected? First, go to the Task Manager and kill any task named "ASERVE.EXE" "ASERVE2.EXE" or anything similar. Then go to the Windows directory and delete any file with a similar name.

    Even if you're not infected by a worm, you can be affected by it. Worm traffic causes traffic jams on the Internet, which can slow down everyone's downloads. Also, worms are used to launch Distributed Denial of Service (DDoS) attacks on servers, which make those servers unavailable to everyone. The only way we can be completely free from the harmful effects of worms is if practically every single computer user out there takes precautions, and that's not likely to happen.

    Security experts are becoming sceptical about whether just keeping your patches up to date is a real solution to the problem of worms and viruses. First of all, patching is http://news.zdnet.co.uk/internet/security/0,39020375,39147340,00.htm so difficult that there will always be people who don't bother.
    Also, sometimes patches http://www.theinquirer.net/?article=7610 actually make things worse .
    Finally, at least one Microsoft expert says that releasing patches just http://www.nwfusion.com/columnists/2004/0308kearns.html lets bad guys know there's a vulnerability so they can exploit it.

    http://techsupp.blcss.com/#sasser Home link

    Southern New Hampshire residents: don't throw away that old broken computer.
    Call us first: 603-244-1652. If we can't fix it cheap, we'll take it off your hands.

    Bottom Line Computer, May 24, 2004
    1. Advertisements

  2. Bottom Line Computer

    Stan Brown Guest

    "Bottom Line Computer" <> wrote in
    >The real danger is not Sasser itself, but

    people who keep posting the same article.

    Stan Brown, Oak Road Systems Cortland County, New York, USA
    You need any friends you can get. The only thing standing
    between you and a watery grave is your wits, and that's not
    my idea of adequate protection. -- /Beat the Devil/ (1954)
    Stan Brown, May 25, 2004
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gareth not NLL or anybody else.

    Sasser worm

    Gareth not NLL or anybody else., May 1, 2004, in forum: Computer Support
    Gareth not NLL or anybody else.
    May 1, 2004
  2. Alasdair Baxter

    Sasser Worm.

    Alasdair Baxter, May 2, 2004, in forum: Computer Support
    Alasdair Baxter
    May 3, 2004
  3. Pistol Pete


    Pistol Pete, May 4, 2004, in forum: Computer Support
    May 4, 2004
  4. WCH

    Sasser worm? Can't even log on to W2k

    WCH, May 6, 2004, in forum: Computer Support
    Ron Martell
    May 7, 2004
  5. Brett Roberts

    Removal tool for Sasser.A & Sasser.B

    Brett Roberts, May 2, 2004, in forum: NZ Computing
    May 14, 2004