Severity: High

Sasser Worm

Overview: Zone Labs has identified a new worm called “Sasser” which is spreading rapidly across the Internet. The Sasser worm has been rated "High Risk." Computer users should take action to protect and patch their systems if they are vulnerable.

Date Published: May 3, 2004
Date Last Revised: August 18, 2005

Impact: Sasser and its variants attempt to compromise system integrity in several ways:

• Opening a backdoor listening on TCP port 9995 or port 9996
• Starting an FTP server listening on port TCP port 5554 on the infected system
• Spreading via Microsoft SMB networking

This worm causes large amounts of network traffic, which can impact the availability and performance of your network.

Description: Sasser, and its variants, spread through a buffer overflow vulnerability present in the lsass.exe process on Microsoft Windows 2000, Windows XP systems, and Windows 2003 Server. Once a system is infected, the worm will begin attacking other systems on TCP port 445.

Upon execution, the worm creates a new file with one of the following names:

• avserve.exe
• avserve2.exe
• skynetave.exe

The worm also attempts to open a backdoor on one of two TCP ports:

• 9995/TCP
• 9996/TCP

It also attempts to start an FTP server listening on TCP port 5554.

Zone Labs Products

ZoneAlarm®, ZoneAlarm® Pro, ZoneAlarm® Plus

The firewall built into ZoneAlarm Pro and ZoneAlarm Plus will usually proactively prevent the infection even if the Microsoft patch has not been applied. A computer protected by these Zone Labs products can only become infected if another computer in the "Trusted Zone" (usually the local network) is infected. In that case Program Control will alert the computer user if the malicious application attempts to access the network. When prompted, Zone Labs users can select "No" to deny the malicious application access and prevent further spread of the virus.

Computer users will receive a ZoneAlarm Alert if this worm infects their system and attempts to open a TCP port. When prompted, Zone Labs users can select “No” to deny this application server access.

Recommended Actions for ZoneAlarm Pro, ZoneAlarm Plus:

Ensure your sesytem is patched. Specifically, the patch contained in Microsoft Security Bulletin MS04-011: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
• Monitor Program Control settings and set “LSA Shell” server rights to Block. This will prevent infection, but will also prevent SMB file sharing.
• Monitor Program Control alerts for processes named:
• avserve.exe
• avserve2.exe
• skynetave.exe
• Do not allow unknown processes to act as a server on ports :
• 9995/TCP
• 9996/TCP
• 5554/TCP
• Update antivirus products to provide the most up-to-date protection.

Related Resources:

• What You Should Know About the Sasser Worm and Its Variants:
  http://www.microsoft.com/security/incident/sasser.asp
  
• Computer Associates Threat Information Center:
  http://www3.ca.com/threatinfo/
  
• Check Point Security Advisory:
  http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-20.html
  
• Sasser.A:
  http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012
  
• Sasser.B:
  http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021
  
• Sasser.C:
  http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39025
  
• Sasser.D:
  http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39037
  

Contact: Zone Labs customers who are concerned about information contained in this advisory or have additional technical questions may reach our Technical Support team at: http://www.zonelabs.com/support/. To report security issues with Zone Labs products contact security@zonelabs.com.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Copyright: ©2004-2005 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs, Inc. Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs.