Win32.Sasser.G (Ca.com)

Description Published: August 29, 2004
Description Modified: September 2, 2004

Category:          Win32
Also known as: W32/Sasser.G (F-Secure),
                          W32.Sasser.G (Symantec),
                          Win32/Sasser.G.Worm, W32/Sasser.worm.g (McAfee),
                          Worm.Win32.Sasser.g (Kaspersky)

Description

Win32.Sasser.G is a worm that spreads by exploiting a vulnerability in the LSASS service on Windows 2000, XP and 2003 server. It is a 58,880-byte executable, packed with PECompact.

Method of Infection

When executed, Sasser.G copies itself to:

%Windows%avserve3.exe

and modifies the registry to ensure that this copy is executed at each Windows start:

HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunavserve3.exe = %Windows%avserve3.exe

Note: ´%Windows%´ is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:Winnt; for 95,98 and ME is C:Windows; and for XP is C:Windows.

The worm creates several mutexes called PinaasoSky and Jobaka3 to ensure only one copy of the worm runs on the system at any time.

Sasser.G drops a further file into the %Windows% directory: skynet.cpl. This file is actually a copy of Win32.Netsky.AC. For more information on Netsky.AC, please see elsewhere in our encyclopedia.

Method of Distribution

Via Exploit

Sasser.G scans random IP addresses (for it to connect to) on TCP port 445. If it connects successfully, it then attempts to exploit the ˝Microsoft Windows LSASS buffer overflow vulnerability˝. For more information on this vulnerability, please see:

http://www3.ca.com/threatinfo/vulninfo/vuln.aspx?ID=27886

The Microsoft security bulletin for this vulnerability is available here:

http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

Microsoft have also published some additional instructions for dealing with this threat here: http://www.microsoft.com/security/incident/sasser.asp

The worm uses this to open a remote shell, listening on port 9996. It connects to this port and uses the shell to create an ftp script called ˝cmd.ftp˝ on the remote machine. This file is created in the %System% directory.

Sasser.G runs a basic ftp server on each infected machine, on port 5554. It runs ftp.exe on the target system, using the ftp script to download the worm executable from the attacking machine. The executable is saved in the %System% directory with the file name ˝_up.exe˝. For example:

C:WINDOWSsystem3212756_up.exe
C:WINDOWSsystem3210831_up.exe

As a side effect of infection, the LSASS service may crash, displaying a message similar to the following:

The worm creates 124 threads to scan for vulnerable systems, and logs IP addresses it has infected to the file c:win2.log.

For each of these threads, there is a 50% chance it will generate completely random IP addresses. There is a 25% chance it will generate addresses with the first octect the same as the host, and a 25% chance it will use the first two octets from the host address. The worm is capable of scanning more than 200 addresses per second.

Analysis by Matthew McCormack