--=warning=--

Garoc · 05-04-2004, 06:20 AM

Ok ive downloaded alot of maps from this site and i recived the "lsass" worm that denies you connecting to the internet. to combat this search for lsass.exe on google and download the "stinger" program from the norton anti viorus site its about 755kb and gets rid of 41 diffrent trojans, worms and vioruses. beware people

***Kingster*** · 05-04-2004, 08:25 AM

As I said in your other thread:

It is impossible to have received this worm from UP. The worm doesn't work in the way that you are describing at all. Please research things like this before you put blame anywhere. Odds are, it was an infected network "neighbor" and the pure fact that you are allowing unsolicited internet connections on port 445 - the only way that this worm spreads.

Quote:

Originally Posted by Computer Associates Threat Information Center LMD: 5/3/04

Sasser.A scans random IP addresses (for it to connect to) on TCP port 445. If it connects successfully, it then attempts to exploit the "Microsoft Windows LSASS buffer overflow vulnerability".

Microsoft Windows contains a vulnerability that can allow an attacker to execute arbitrary code. The vulnerability is due to a lack of bounds checking on messages submitted to the Local Security Authority Subsystem Service (LSASS) service. An attacker can supply a long argument using the LSASRV.DLL function DsRoleUpgradeDownlevelServer() function to create a carefully constructed message and cause an overflow, which can result in arbitrary code execution.

The worm uses this to open a remote shell, listening on port 9996. It connects to this port and uses the shell to create an ftp script called "cmd.ftp" on the remote machine. This file is created in the System directory.

Sasser.A runs a basic ftp server on each infected machine, on port 5554. It runs ftp.exe on the target system, using the ftp script to download the worm executable. The executable is saved in the System directory with the file name "<random number >_up.exe". For example:

C:\WINDOWS\system32\12756_up.exe
C:\WINDOWS\system32\10831_up.exe

The worm creates 128 threads to scan for vulnerable systems, and logs IP addresses it has infected to the file c:\win.log.

For each of these threads, there is a 50% chance it will generate completely random IP addresses. There is a 25% chance it will generate addresses with the first octect the same as the host, and a 25% chance it will use the first two octets from the host address. The worm is capable of scanning more than 200 addresses per second.

The following workarounds can be implemented if applying the patch is not a feasible option.

Use a personal firewall such as the Internet Connection Firewall, which is included with Windows XP and Windows Server 2003. If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet.

To enable the Internet Connection Firewall feature by using the Network Setup Wizard:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.

To configure Internet Connection Firewall manually for a connection:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet Connections, and then click Network Connections.
3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Select the check box Protect my computer or network by limiting or preventing access to this computer from the Internet, and then click OK. Note: If you want to enable the use of some applications and services through the firewall, click Settings on the Advanced tab, and then select the programs, protocols, and services needed.

Block UDP ports 135, 137, 138, 139, 445 and TCP ports 138, 139, 445, 593 at your firewall. These ports are used to initiate a connection with RPC. Blocking them at the firewall will help prevent systems behind that firewall from attempts to exploit this vulnerability. You should also be sure to block any other specifically configured RPC port on the remote machine. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.

Wanna clean it?
http://www3.ca.com/Files/VirusInform.../clnsasser.zip

**radio667** · 05-04-2004, 08:37 AM

Thank You for the Stinger link K -Man

..Very Helpful !!!

05-04-2004, 06:20 AM	#1
Garoc Ghosts, Legends then Me. Join Date: Apr 2004 Location: A.C.T Australia Posts: 809 My Files: 2	--=warning=-- Ok ive downloaded alot of maps from this site and i recived the "lsass" worm that denies you connecting to the internet. to combat this search for lsass.exe on google and download the "stinger" program from the norton anti viorus site its about 755kb and gets rid of 41 diffrent trojans, worms and vioruses. beware people

05-04-2004, 08:37 AM	#3
radio667 I R Happy Goat Join Date: May 2002 Posts: 10,753 Downloads: 2	Thank You for the Stinger link K -Man ..Very Helpful !!! __________________ , "There is also a river called Helikon [in Pieria]. (...) But, they go on to say, the women who killed Orpheus wished to wash off in it the blood-stains, and thereat the River sank underground, so as not to lend its waters to cleanse manslaughter." —Pausanias, Description of Greece 9. 30. 8

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: