Nova epidemija - zakrpite Windows!

1

Nova epidemija - zakrpite Windows!

offline
  • SINGI
  • Pridružio: 22 Avg 2003
  • Poruke: 787
  • Gde živiš: Beograd

Worm.Win32.Sasser u dve varijante, za dva dana Shocked

Worm.Win32.Sasser.a
[ 05/02/2004 21:54, GMT +03:00, Moscow ]
Danger : moderate risk

This worm spreads via the Internet using a vulnerability in the Microsoft Windows LSASS service. The vulnerability is described in Microsoft Security Bulletin MS04-011, which can be found at:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm is written in C/C++ using Visual C compiler. It is approximately 15KB in size, and packed using ZiPack.
Propagation
When launching, the worm registers itself in the system registry autorun key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avserve.exe = %WINDIR%\avserve.exe

The worm scans IP addresses, searching for computers which have the vulnerability described in MS04-011. A vulnerable computer will launch the command packet "cmd.exe" on TCP port 9996, and will then accept commands to download and launch copies of the worm.

Downloading is carried out via FTP protocol.

In order to do this the worm launches an FTP server on TCP port 5554 and on request from the victim computer loads a copy of itself. The copy of the worm will be loaded under the name "_up.exe", where "_" is a random number.

Worm.Win32.Sasser.b
[ 05/02/2004 22:14, GMT +03:00, Moscow ]
Danger : moderate risk

This worm spreads via the Internet using a vulnerability in the Microsoft Windows LSASS service. The vulnerability is described in Microsoft Security Bulletin MS04-011, which can be found at:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm is written in C/C++ using Visual C compiler. It is approximately 15KB in size, and packed using ZiPack.
Propagation
When launching, the worm registers itself in the system registry autorun key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avserve2.exe = %WINDIR%\avserve2.exe

The worm scans IP addresses, searching for computers which have the vulnerability described in MS04-011. A vulnerable computer will launch the command packet "cmd.exe" on TCP port 9996, and will then accept commands to download and launch copies of the worm.

Downloading is carried out via FTP protocol.

In order to do this the worm launches an FTP server on TCP port 5554 and on request from the victim computer loads a copy of itself. The copy of the worm will be loaded under the name "_up.exe", where "_" is a random number.



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
offline
  • AxeZ 
  • Legendarni građanin
  • Pridružio: 17 Apr 2003
  • Poruke: 3989
  • Gde živiš: Novi Sad, Vojvodina

O falim te boze, najzad jedna stetocina pisana u pravom programskom jeziku a ne u onom isprdku od alata zvanom Visual Basic ili VB...Smile



offline
  • Peca  Male
  • Glavni Administrator
  • Predrag Damnjanović
  • SysAdmin i programer
  • Pridružio: 17 Apr 2003
  • Poruke: 23162
  • Gde živiš: Niš

znaci opet rupa u XP-u, preko kojeg svako moze da ti svrlja po kompu?
lepo...

offline
  • Vlada
  • Pridružio: 20 Apr 2003
  • Poruke: 3360
  • Gde živiš: Beograd

Peca ::znaci opet rupa u XP-u, preko kojeg svako moze da ti svrlja po kompu?
lepo...


Ko zna koja jubilarna rupa u XP-u !

offline
  • Peca  Male
  • Glavni Administrator
  • Predrag Damnjanović
  • SysAdmin i programer
  • Pridružio: 17 Apr 2003
  • Poruke: 23162
  • Gde živiš: Niš

pa valjda druga?
prva je bila RPC...

offline
  • Puky  Male
  • Scottish rebel
  • Pridružio: 18 Apr 2003
  • Poruke: 5815
  • Gde živiš: u Zmajevom gnjezdu

Imao sam danas vatreno krstenje sa "njom" i vrlo lako resio.
Vise mi je problema zadao Agaboot nego ovo.

HMMMM ... nigde se samo jos ne spominje da u C:\Win_folder\System nalazi jos nekoliko fajlova sa 4 razlicite cifre .exe

Znaci, kada se nekome pojavi ova slika


a zatim dok ste online ova:



...znajte da imate Sasser na racunaru.

offline
  • ghost 
  • Novi MyCity građanin
  • Pridružio: 15 Apr 2004
  • Poruke: 20
  • Gde živiš: Letograd

Hm... mozda nisam pazljivo pratio akciju, ali cini mi se da virus u stvari koristi vec poznatu rupu, zakrpljenu negde u aprilu (MS04-011):

microsoft.com/technet/security/bulletin/ms04-011.mspx

Sto se tice onih .exe fajlova, oni su malko pomenuti ovde:

us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008

(ne pise Bog zna sta, ali se pominje jos jedan fajl: c:\win2.log)

Meni je stradala samo jedna masina na kojoj sam lukavo iskljucio Windows Update... Wink

Inace, lep virus. Prvo, siri se bez zagadjivanja mejla i drugo, relativno se lako cisti rucno - Safe Mode, ubijes fajl, ocistis Registry... nema onog efekta "azdaje sa 7 glava", gde kad ubijes jedan .exe sa druge strane te lupi neki .vbs i tako u krug... uskoro ocekujem i kulturnu deinstalaciju iz Add/Remove Programs Wink

offline
  • Šile 
  • Počasni građanin
  • Pridružio: 14 Mar 2004
  • Poruke: 997
  • Gde živiš: Batina, Baranja, Hrvatska, Evropa, Planeta zemlja

I znaci sad nek neko napise link za skinit sve to jel ovdje svi pisete tako nerazumljivo za ubit!
Aplauz kako je GoranK to izveo s W32 napisao covjek dva linka i topic closed. Tako treba uradit i ovdje a ne pricat bajke dok ja to sve procitam RESTART!!
btw: "Server is to busy"

Ajde da editujem:
Ahaha eto nama srece mater mu j..... sta mislite sta me srokalo dok sam skido zakrpu, pa necu vam ni rec.
Nego skinio sam neki Stinger sranje za trazenje virusa i naso je dva faila i obriso ih i onda sam instaliro zakrpu WindowsXP-KB835732-x86-ENU.exe.

offline
  • SVITAC 
  • Legendarni građanin
  • Pridružio: 28 Apr 2003
  • Poruke: 5919
  • Gde živiš: Beograd

Jel pročitao neko prvi post .. sve piše ..
Zakrpa .. update definicija .. čišćenje kompjutera i gotovo ..

Jedino da dodam da na .A verziju nisam još naišao .. .B je prisutnija .. .. ..

offline
  • Šile 
  • Počasni građanin
  • Pridružio: 14 Mar 2004
  • Poruke: 997
  • Gde živiš: Batina, Baranja, Hrvatska, Evropa, Planeta zemlja

Pa sta mislis da imam vremena da citam ono gore i jos na engleskom ma super a virus samo ceka kad ce restart btw: i uspio je.

Treba samo stavit link zakrpa, link ciscenje link ovo ono sto vec treba i cao a ne da se gubiomo tu u postovima jel to vrijedi generalno za sve a nevjerujem da samo za mene.

Ko je trenutno na forumu
 

Ukupno su 767 korisnika na forumu :: 35 registrovanih, 4 sakrivenih i 728 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: _Sale, A.R.Chafee.Jr., alexmiki, Andrija357, Apotekar, Arhiv, botest, DENIRO, DJORDJE-NO-1, dragon986, Drug pukovnik, Georgius, havoc995, HrcAk47, kuntalo, Leonardo, Lieutenant, lukac, MarKhan, mean_machine, mrmr, nebkv, novator, Regrut Boskica, ruger357, ruseskij, slavkobabic, Snorks, theNedjeljko, Toni, Van, Vlada1389, vlvl, voja64, vukdra