Posted: 03rd May, 2004 By: MarkJ
Remember the so called MS Blaster worm? A virus notorious for its ability to infiltrate computer systems just by seeing you connected to the Internet, well a similar infection (Sasser) has started circulating.
In fact my own system became infected on Friday, yet Norton's database didn't pick it up until Sunday, although thankfully I was aware of it on Friday and managed to physically put a stop to things myself (made itself too obvious in the process list).
The thing is, not only are broadband users most and risk, but even with an updated virus database and all the latest critical MS patches, it still managed to infect. You don't have to do anything, it'll just sneak onto your system while youre connected and that's why it's a serious threat:
This worm spreads by exploiting a recent Microsoft vulnerability, spreading from machine to machine with no user intervention required.
This worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE. It creates a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host. The infected host accepts this FTP traffic on TCP port 5554.
The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445.Typically I'd just re-installed my OS, so the firewall wasn't online yet, hence the added risk. A removal tool can be found
HERE. You'll also need to update your AV software and pop along to Microsoft's website for the correct patch
HERE.