Symantec Norge
global sites
produkter
handle
service og support
partnere
security response
nedlastinger
om Symantec
søk
tilbakemeldinger


© 1995-2008 Symantec Corporation.
All rights reserved.
Juridisk informasjon
Personvernerklæring


Press Release spacer

Symantec Security information: Update W32.Sasser.B.Worm

Presse kontakter

Monday 3rd of May, 2004 -

Within recent weeks, several critical vulnerabilities have been disclosed and in some cases, worms and other automated tools have been launched exploiting these vulnerabilities. Exploit code has been made publicly available for all of these vulnerabilities. Most notably, W32.Sasser.B.Worm, which attempts to exploit the LSASS vulnerability, has been impacting systems worldwide. W32.Sasser.B.Worm, rated today by Symantec as a Level 4 threat, spreads by scanning randomly chosen IP addressed for vulnerable system. The worm does not cause any harm, but the infected computer slows down and network traffic is affected.


"Over the last several weeks Symantec Security Response has monitored a shift in malicious threat propagation," said Per Hellqvist, senior security specialist at Symantec. "During the first several months of the year, most of the threats we tracked spread through e-mail. However, now we are tracking more threats that are exploiting vulnerabilities to spread.”

“A worrying trend is that the time between an announcement of a new vulnerability and a threat outbreak is getting shorter and shorter. People need to be more proactive than reactive when it comes to security. It is necessary to have multiple layers of security implemented – an updated antivirus software is very important, but not enough. Both home users and companies need a firewall and intrusion protection to stop the blended threats that are spreading.”

More information about W32.Sasser.B.Worm: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
Link to free removal tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
More information about the vulnerability: Microsoft Windows LSASS Buffer Overrun: http://securityresponse.symantec.com/avcenter/security/Content/10108.html


Below you'll find a brief update of the vulnerability used by the Sasser worm.

Microsoft Windows LSASS Buffer Overrun Vulnerability/W32.Sasser.B.Worm
Background
The Microsoft Windows LSASS Buffer Overrun Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc. Exploitation may occur over TCP ports 135, 139, 445, 593 and ports greater than 1024, as well as UDP ports 135, 137, 138 and 445. More information about the LSASS vulnerability can be found at http://securityresponse.symantec.com/avcenter/security/Content/10108.html

Symantec recommends users to update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.

Recent Updates
On May 1, 2003, Symantec Security Response identified a variant of the Sasser worm as a Level 3 threat -- W32.Sasser.B.Worm. On May 2, W32.Sasser.B.Worm was upgraded to a Level 4 threat due to the increased submission rate. Symantec Security Response has tracked 2,234 worldwide submissions, including 23 corporate submissions. Unlike the original Sasser worm, W32.Sasser.Worm is predominately infecting consumer systems.The worm also attempts to exploit the LSASS vulnerability and spreads by scanning randomly chosen IP addresses for vulnerable systems.

Additional information on W32.Sasser.B.Worm can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html.
On April 30, 2003, Symantec Security Response identified W32.Sasser.Worm as a Level 3 threat. W32.Sasser.Worm attempts to exploit the MS04-011 vulnerability and spreads by scanning randomly-chosen IP addresses for vulnerable systems. Symantec Security Response tracked 301 worldwide submissions, including 113 corporate submissions.

For additional information on W32.Sasser.Worm, visit http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html.
Symantec has also identified malicious code based on a Gaobot variant that has been modified to propagate through the Microsoft Windows LSASS vulnerability. Gaobot is a type of Trojan that uses IRC. While not as epidemic as a worm, Gaobot still presents an immediate threat due to it's ability to compromise a wide range of computers. W32.Gaobot.AFW is a Level 1 threat that spreads through open network shares and several Windows vulnerabilities including LSASS. W32.Gaobot.AFW can also spread through backdoors installed by Beagle and Mydoom worms, and the Optix family of backdoors. W32.Gaobot.AFJ is another variant that leverages the Microsoft Windows LSASS vulnerability.

About Symantec
Symantec is the global leader in information security providing a broad range of software, appliances and services designed to help individuals, small and mid-sized businesses, and large enterprises secure and manage their IT infrastructure. Symantec's Norton brand of products is the worldwide leader in consumer security and problem-solving solutions. Headquartered in Cupertino, Calif., Symantec has operations in more than 35 countries. More information is available at www.symantec.com.