Have you done all of your windows updates ?

[Moby-Dick]

Or made sure your firewall is working ?

if not, you might be in for a rough ride
and here's why

Sasser
New Worm Spreads without User Interaction
Severity: Medium
(May elevate to high in the next few days)
1 May, 2004

About the Virus
Beginning Friday evening a new worm called Sasser (technically known as W32/Sasser.worm) began spreading on the Internet. Like previous worms (such as Slammer, and to some extent, CodeRed and Nimda), Sasser relies on exploiting a recent flaw in Microsoft Windows to spread. If the worm finds a computer vulnerable to the specific Windows flaw, it infects that PC without any user interaction. Worms like Sasser that require no user interaction tend to spread wildly. The good news is that if you have kept up to date with the Microsoft patches , Sasser should pass you by.

What It Does
Unlike most worms, Sasser does not rely on email to spread. Instead, the worm attempts to connect to random victims on TCP port 445 and exploits a Microsoft Windows vulnerability we described in an April 13 alert (specifically MS04-011). Its name arises from the fact that it exploits a buffer overflow in LSASS (Local Security Authority Server Service) .

If the exploit is successful, the worm downloads a copy of itself to your machine and adds the file "avserve.exe" to the default Windows directory. The worm also adjusts the registry to ensure that it can restart the next time you reboot. In fact, using a special Windows API, AbortSystemShutdown, Sasser makes it difficult to restart or shut down your PC.

Finally, Sasser installs an FTP server on your computer, running on TCP port 5554 so that your machine can deliver the worm to others.

Once installed on a victim machine, Sasser repeats the entire process by randomly scanning IP addresses on port 445, searching for exploitable machines. Out of the randomly scanned IPs, 50% are totally random, 25% have the same first octet as your IP address and the last 25% have the same first two octets as your IP address. This helps Sasser to spread efficiently both on the Internet and within your local network.

[headbrace]

Nope, I haven't done any updates. I don't need too. That's BSD for you.

[Moby-Dick]

What You Should Know About the Sasser Worm
Posted: May 1, 2004





Microsoft teams and law enforcement authorities are investigating reports of a worm, identified as W32.Sasser.worm, that is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue fixed in Microsoft Security Update MS04-011 on April 13, 2004.


Products Affected by This Worm
Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4
Windows XP and Windows XP Service Pack 1
Windows XP 64-bit Edition Service Pack 1

Products Not Affected by This Worm
Windows NT 4.0 Service Pack 6a
Windows XP 64-Bit Edition Version 2003
Windows Server 2003
Windows Server 2003 64-Bit Edition



How to Tell If Your Computer Is Infected
If your computer is infected with W32.Sasser.worm, you may see a dialog box with text that refers to LSASS.exe. Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computer. Typical symptoms may include systems rebooting every few minutes without user input.


Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm, please do the following:

Enable the Windows XP Internet Connection Firewall or a third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting, reboot in safe mode.
Press CTRL+ALT+DEL.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Start.
Click Search and then search for and delete the following files:
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\*_up.exe
Click Start again, click Run, and then type: regedit32
Click OK.
In Registry Editor, locate and delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Go to the Windows Update site, and click the Scan for Updates button.
Download and install the critical updates recommended after the scan.

Preventive Steps for Home Users
Customers can protect against this worm by installing Microsoft Security Update MS04-011 immediately.

If you have a computer with Windows XP and have enabled the Windows XP Firewall, you are protected from attacks by this worm. Also, most third-party firewalls will block this attack.

the above quote is form a news alert issued buy http://bink.nu ( a very credible source for windows news )

The First quote is from the watchguard livesecurity update - this is not a drill folks

[Moby-Dick]

Originally Posted by headbrace

Nope, I haven't done any updates. I don't need too. That's BSD for you.

which is why I said windows updates if you were applying MS patches to a BSD box I'd have serious concerns for your sanity

[Moby-Dick]

If you have been affected by this worm , you'll find a removal tool here:

http://www.microsoft.com/downloads/d...DisplayLang=en

[unrealrocks]

I just leave updates for virus, windows etc. all on auto so it just does it. PC Cillin did tell me that there was this virus going round in the wild last night though.

[Howard]

I'm always up to date

My mate had this worm yesterday though... Lol

[Kezzer]

/me strokes linux firewall

[headbrace]

/remembers to read thread thoroughly before posting

I'll get me goat.

[Joel]

/me strokes linux

[DaBeeeenster]

Originally Posted by headbrace

/remembers to read thread thoroughly before posting

I'll get me goat.

here you go matey...



**** knows how the old boy managed to get to Australia in that time

[Stoo]

*snigger*

Always make sure you've got enough RAM for your system?

[DaBeeeenster]

Originally Posted by Stoo

*snigger*

Always make sure you've got enough RAM for your system?

this is the funniest post in the world ever.

[Stoo]

Sorry.. *skulks off*

[directhex]

C:\Documents and Settings\directhex>apt-get upgrade
'apt-get' is not recognized as an internal or external command,
operable program or batch file.

no worky, moby

[steve threlfall]

Originally Posted by Stoo

*snigger*

Always make sure you've got enough RAM for your system?