Welcome to blog teknik dan jaringan

W32.Sasser.Worm

Diposkan oleh amar xaxena

Brief Description:
--------------------
W32.Sasser.Worm is a worm that spreads by scanning randomly-chosen IP addresses for machines vulnerable to the LSASS exploit. This worm and a couple of it's variants have quickly spread worldwide (beginning early May 1st). W32.Sasser.Worm starts an FTP server on TCP port 5554 and generates traffic on TCP ports 445 and 9996. It also starts 128 network scanning threads most likely causing severe degradation in system performance.

Characteristics:
------------------
When W32.Sasser.Worm runs, it does the following:

-- Attempts to create a mutex called Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.

-- Copies itself as %Windir%\avserve.exe.

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

-- Adds the value:
"avserve.exe"="%Windir%\avserve.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.

-- Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

-- Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

-- Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

The IP addresses generated by the worm are distributed as follows:
• 50% are completely random
• 25% have the same first octet as the IP address of the infected host
• 25% have the same first and second octet as the IP address of the infected host.

-- Summary of TCP ports used by the worm:
445/TCP: - The worm attacks through this port
5554/TCP: - FTP server on infected systems
9996/TCP: - Remote shell opened by the exploit on the vulnerable hosts

-- The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

-- Computers are probed on port 445 which is the default port for Windows SMB communication on NT-based systems.

The probing might crash unpatched computers.

Under Windows 2000, users may see a Windows error message like this:
.














selengkapnya disini sumber

0 komentar

Post a Comment

Tinggalkan Command
anchor text

Waktu Surabaya :
    TOP Software & Tool Utillity :
  • Microsoft download center
  • SUSAH MENCARI OFFICE 2010, DISINI ANDA BISA Download Microsoft Office 2010
  • Microsoft Office 2007
  • windows7download
  • tempat untuk download sepuasmu disini semua aplikasi untuk kebutuhan komputer Tool utillity ada
  • Download windows server 2008
  • Download Aplikasi untuk HP
  • Download VIsta Tranformations Pack
  • Download WINRAR NEW
  • DOWNLOAD OS LINUX MINT
  • Merubah tampilan windows dengan transformation
  • KDE 3 untuk merubah tampilan xp sytle
  • Merubah Tampilan Windows XP Ke Windows 7 Ultimate Cool Winter Xp Theme
  • Download KONBOT untuk membobol password windows - linux
  • Microsoft office untuk MAC OS
  • download Software pendukung untuk membuat Webserver local
  • instal DNS di Windows XP dengan bantuan software - Download software-nya disini bind
  • folder-lock-download
  • DRIVER DOWNLOAD :
  • download driver INTEL
  • driver LAN intel
  • Kumpulan Driver Semua Jenis Mainboard
  • HARDWARE KOMPUTER ASUS
  • Download Driver Mainboard ASUS Semua Type disini
  • Driver Laptop ACER segala jenis MB
  • Driver MB Laptop HP s
  • Driver Laptop HP - Compaq
  • arcabit
  • duba-net
  • Jdrweb
  • simple-avr.com.ua
  • spy-emergency
  • Hari Ibu hari ibuku dan ibumu
  • Photobucket

    Iklan
    Kategori Iklan
    Judul Iklan
    Isi Iklan
    Gambar
    Website Iklan
    Email
    Contak Person
    Alamat
    Image Verification
    captcha
    Please enter the text from the image:
    [ Refresh Image ] [ What's This? ]

    Powered byEMF Web Form