World Access Communications
World Access Communications
World Access Communications

Search:



Services
Webmail
Support
Terms & Conditions
Sign Up Now!
Dial-Up Numbers
Search

Quick Links
eBay
Yahoo!
UPS Tracking
FedEx Tracking
California ISO

Current Events
News
Internet News
Weather
Stocks
Sports
Movies

World Access Communications, Inc.
1209 W. Tokay St.
Suite #11
Lodi, CA 95240
866-DIAL-WAC (342-5922) - 24/7
info@corp.wac.com


Vanquish Premier Partner

 W32.Sasser.F.Worm is a variant of W32.Sasser.Worm. This worm attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems.

W32.Sasser.F.Worm differs from W32.Sasser.Worm as follows:

  • Uses a different mutex: billgate.
  • Uses a different file name: napatch.exe.
  • Creates a different value in the registry: "napatch.exe."
Notes:
  • The MD5 hash value of this worm is 0x9d8d3837ef0dca757231349b5f81f26e.
  • Block TCP ports 5554, 9996, and 445 at the perimeter firewall and installs the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.

W32.Sasser.F.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly run, including our removal tool. (On Windows 95/98/Me computers, the tool should be run in Safe mode.)

 
Type: Worm
Infection Length: 74,752 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003

protection

May 11, 2004

May 12, 2004

*

Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**

LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

threat assessment

Wild:

Threat Metrics
Low Low High

Wild:
Low

Damage:
Low

Distribution:
High

Damage

Distribution

technical details

When W32.Sasser.F.Worm runs, it does the following:

  1. Attempts to create a mutex named billgate and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.
  2. Copies itself as %Windir%\napatch.exe.
    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  3. Adds the value:

    "napatch.exe"="%Windir%\napatch.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.
  4. Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer.
  5. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
  6. Retrieves the IP addresses of the infected computer, using the Windows API, gethostbyname.
    Note: The worm will ignore any of the following IP addresses:
    • 127.0.0.1
    • 10.x.x.x
    • 172.16.x.x - 172.31.x.x (inclusive)
    • 192.168.x.x
    • 169.254.x.x

  7. Generates another IP address, based on one of the IP addresses retrieved from the infected computer.
    • 25% of the time, the last two octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, C and D will be random.
    • 23% of the time, the last three octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, B, C, and D will be random.
    • 52% of the time, the IP address is completely random.
      Notes:
    • Because the worm creates completely random addresses 52% of the time, any IP address can be infected, including those ignored in step 6.
    • This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.

  8. Connects to the generated IP address on TCP port 445 to determine whether a remote computer is online.
  9. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.
  10. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.
  11. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.
  12. Creates a file at C:\win2.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.

recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

removal instructions

Before you begin:
If you are running Windows 2000 or XP, and have not yet done so, you must patch for the vulnerability described in Microsoft Security Bulletin MS04-011. If you do not, it is likely that your computer will continue to be re-infected.

What to do if the computer shuts down before you can patch or get the tool
This threat can cause Windows to keep shutting down and restarting. This can prevent you from installing the Microsoft patch or downloading the tool described below. To prevent the shut down, do the following. (You may have to try this several times, as you only have about 20 seconds to do steps 3 to 6.) (This will not work on Windows 2000.)
  1. Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.)
  2. Restart the computer.
  3. As soon as Windows opens and you see the Windows desktop, click Start > Run.
  4. Type:

    cmd

    and press Enter.
  5. Type:

    shutdown -i

    and press Enter.
  6. In the Remote Shutdown Dialog that opens, change 20 seconds to:

    9999

    and click OK.

    This gives you about three hours to get the patch installed, update the definitions, and so on.
  7. Reconnect the network/Internet connection.
  8. Connect to the Internet, and get the patch. Then continue with the steps described below.

When you have patched for and removed the threat, you can re-enable the 20-second default warning if you want to.


The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
  1. End the malicious process (Windows NT/2000/XP).
  2. Disable System Restore (Windows XP).
  3. Update the virus definitions.
  4. Run a full system scan and delete all the files detected as W32.Sasser.F.Worm.
  5. Reverse the change made to the registry.
For details on each of these steps, read the following instructions.

1. To end the malicious process
On Windows NT/2000/XP computers, you must first end the malicious process. Follow these instructions:
  1. Press Ctrl+Alt+Delete once.
  2. Click Task Manager.
  3. Click the Processes tab.
  4. Double-click the Image Name column header to alphabetically sort the processes.
  5. Scroll through the list and look for the following processes:
    • napatch.exe
    • any process with a name consisting of four or five digits, followed by _up.exe (for example, 74354_up.exe).

  6. If you find any such process, click it, and then click End Process.
  7. Exit the Task Manager.
2. To disable System Restore (Windows XP)
If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or "How to turn off or turn on Windows XP System Restore"
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

3. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

4. To scan for and delete the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.Sasser.F.Worm, click Delete.

5. To reverse the change made to the registry
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)
  3. Navigate to the key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, delete the value:

    "napatch.exe"="%Windir%\napatch.exe"
  5. Exit the Registry Editor.

 

OTHER VIRUS INFO TO KNOW ABOUT