Warning! W32.Sasser.B.Worm (Category 4)

[The Prophecy]

As you may well know already the world's latest wave of virus attacks has
been highlighted by the Sasser Worm. More specificly its first varient. To
read about the Sasser and its varients go here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html

 

[NonDisputandum.com]

As you may well know already the world's latest wave of virus attacks has
been highlighted by the Sasser Worm. More specificly its first varient. To
read about the Sasser and its varients go here:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html

Allready saw it 3 times in version B on my daughter's WinME
computer... XP seems safely patched. My computers are behind a router
with firewall... the XP running Norton AV & firewall.. the ME running
Kaspersky... what shall (again) be replaced by (low resources) Panda
Platinum in the hope that that will auto-kill the virus when it pops
up... any other ways to secure the Win ME?
--
Freeware revieuws for your Windows PC:
Honest & No Nags: www.NONDISPUTANDUM.com
Protection, Cleaning, Office, Webbuilding,
Newsfeeds, Entertainment, Searching, Music,
Do the internet addiction test!

 

[null]

Allready saw it 3 times in version B on my daughter's WinME
computer... XP seems safely patched. My computers are behind a router
with firewall... the XP running Norton AV & firewall.. the ME running
Kaspersky... what shall (again) be replaced by (low resources) Panda
Platinum in the hope that that will auto-kill the virus when it pops
up... any other ways to secure the Win ME?

See my web site.


Art
http://www.epix.net/~artnpeg

 

[Gabriele Neukam]

On that special day, NonDisputandum.com,
(webmaster_remove@remove_nondisputandum.com) said...

Allready saw it 3 times in version B on my daughter's WinME
computer...

Impossible. It is specialized to attack a vulnerability only present on
Win2000 and XP systems. There is no lsass file anywhere on my WinME
machine, that could be exploited. You must have mistaken another worm
for sasser.


Gabriele Neukam

(e-mail address removed)

 

[me]

On that special day, NonDisputandum.com,
(webmaster_remove@remove_nondisputandum.com) said...


Impossible. It is specialized to attack a vulnerability only present on
Win2000 and XP systems. There is no lsass file anywhere on my WinME
machine, that could be exploited. You must have mistaken another worm
for sasser.

Gabriele Neukam

(e-mail address removed)

The OP says "saw" -- whatever that means.

< quote Symantec >
W32.Sasser.B.Worm can run on (but not infect) Windows 95/98/Me
computers. Although these operating systems cannot be
infected, they can still be used to infect vulnerable systems
that they are able to connect to. In this case, the worm will
waste a lot of
resources so that programs cannot run properly, including our
removal tool.
< /quote >

J

 

[NonDisputandum.com]

On that special day, NonDisputandum.com,
(webmaster_remove@remove_nondisputandum.com) said...


Impossible. It is specialized to attack a vulnerability only present on
Win2000 and XP systems. There is no lsass file anywhere on my WinME
machine, that could be exploited. You must have mistaken another worm
for sasser.


Gabriele Neukam

(e-mail address removed)

Listen,.. I ran a full system check with Kaspersky - that I just had
installed a few days befor after Panda had ran out - I was worried and
wanted to check my system,.. three times within a fec seconds it said
to detect the virus... Kaspersky never detected anything befor the
full system check...

As I'm not yet fully convinced that Kaspersky does a perfect job, i
deleted it and downloaded - as I used befor - Pandasoftware again.

Not possible is not what I saw... 3 times is more like it.

The concerning PC (of my daughter) runs on WinME - P2/126 Mb ram -
IE6.

My own P4 Win XP never found anything. Running Norton + firewall.

Both PC's are behind a broadband router with firewall... The P2 is
connected wireless.

I did not mistake the worm as far as I can remember... would be a
coïncidance don't you think?

Indeed,... if I was wright... how to explain?

--
Freeware revieuws for your Windows PC:
Honest & No Nags: www.NONDISPUTANDUM.com
Protection, Cleaning, Office, Webbuilding,
Newsfeeds, Entertainment, Searching, Music,
Do the internet addiction test!

 

[NonDisputandum.com]

The OP says "saw" -- whatever that means.

< quote Symantec >
W32.Sasser.B.Worm can run on (but not infect) Windows 95/98/Me
computers. Although these operating systems cannot be
infected, they can still be used to infect vulnerable systems
that they are able to connect to. In this case, the worm will
waste a lot of
resources so that programs cannot run properly, including our
removal tool.
< /quote >

J

Thank you for explaining that...

That is the information that I needed to be convinced that my system
was never in any danger but only carrier... though "not ill", I don't
want it to be the host that infects other systems.. so i take any
possible precaution... and so should we all.. it's a shared
responsablilty to protect ourselves and thus others..
--
Freeware revieuws for your Windows PC:
Honest & No Nags: www.NONDISPUTANDUM.com
Protection, Cleaning, Office, Webbuilding,
Newsfeeds, Entertainment, Searching, Music,
Do the internet addiction test!

 

[Gabriele Neukam]

On that special day, , ([email protected]) said...

W32.Sasser.B.Worm can run on (but not infect) Windows 95/98/Me
computers. Although these operating systems cannot be
infected, they can still be used to infect vulnerable systems
that they are able to connect to.

Any details on the technical side, please. I cannot imagine how a
program (it is one, in the end) that is made for a NT derivative, can be
running on a Windows that is in no way similar to NT. The dlls are all
different; I couldn't install NT dll files on my ME machine, they would
not even start working. So how can a sasser "run" on ME?

The only thing that can happen, is that a ME machine that works as an
internet connector (with ICS or Jana), will of course route the worm to
another computer, and that one might be infected, if the latter is
running W2K or XP. But that is all that can happen. ME is perhaps acting
as a gate, but not infected and not running the worm.

Of course, I could just as well set up a firewall and "see" my machine
being "attacked" by those connection attempts and pings (the latter is
done by the D variant) coming in in huge masses. But that only means,
Sasser is knocking at the door, it doesn't mean it is making use of my
system and ram.


Gabriele Neukam

(e-mail address removed)

 

[me]

On that special day, , ([email protected]) said...


Any details on the technical side, please. I cannot imagine how a
program (it is one, in the end) that is made for a NT derivative, can be
running on a Windows that is in no way similar to NT. The dlls are all
different; I couldn't install NT dll files on my ME machine, they would
not even start working. So how can a sasser "run" on ME?

The only thing that can happen, is that a ME machine that works as an
internet connector (with ICS or Jana), will of course route the worm to
another computer, and that one might be infected, if the latter is
running W2K or XP. But that is all that can happen. ME is perhaps acting
as a gate, but not infected and not running the worm.

Of course, I could just as well set up a firewall and "see" my machine
being "attacked" by those connection attempts and pings (the latter is
done by the D variant) coming in in huge masses. But that only means,
Sasser is knocking at the door, it doesn't mean it is making use of my
system and ram.

Gabriele Neukam

(e-mail address removed)

I really don't know. See if you can make more sense out of their
explanation at (may wrap):
http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.sasser.B.worm.html

J

 

[FromTheRafters]

On that special day, , ([email protected]) said...


Any details on the technical side, please. I cannot imagine how a
program (it is one, in the end) that is made for a NT derivative, can be
running on a Windows that is in no way similar to NT. The dlls are all
different; I couldn't install NT dll files on my ME machine, they would
not even start working. So how can a sasser "run" on ME?

Don't both kernel types provide the same basic abstractions (virtual
machine) and the ability to run the W32 type executables?

The only thing that can happen, is that a ME machine that works as an
internet connector (with ICS or Jana), will of course route the worm to
another computer, and that one might be infected, if the latter is
running W2K or XP. But that is all that can happen. ME is perhaps acting
as a gate, but not infected and not running the worm.

I don't think that this is what they meant. I think what they meant
by infection is the automatic running of the worm (fully supported)
through the exploit, and what they meant by "run on" is that the
other OSs do indeed support the running of that executable even
if not fully supporting all of its calls or allowing it to persist beyond
a reboot.

I'm just guessing of course, and it would be nice to have an
official explanation.

[snip]

 

[NonDisputandum.com]

On that special day, , ([email protected]) said...


Any details on the technical side, please. I cannot imagine how a
program (it is one, in the end) that is made for a NT derivative, can be
running on a Windows that is in no way similar to NT. The dlls are all
different; I couldn't install NT dll files on my ME machine, they would
not even start working. So how can a sasser "run" on ME?

Don't both kernel types provide the same basic abstractions (virtual
machine) and the ability to run the W32 type executables?

The only thing that can happen, is that a ME machine that works as an
internet connector (with ICS or Jana), will of course route the worm to
another computer, and that one might be infected, if the latter is
running W2K or XP. But that is all that can happen. ME is perhaps acting
as a gate, but not infected and not running the worm.

I don't think that this is what they meant. I think what they meant
by infection is the automatic running of the worm (fully supported)
through the exploit, and what they meant by "run on" is that the
other OSs do indeed support the running of that executable even
if not fully supporting all of its calls or allowing it to persist beyond
a reboot.

I'm just guessing of course, and it would be nice to have an
official explanation.

[snip]

One thing seems clear,... even though the so called not compatible
system is not "ill", it can act as host. Question is if acting as
host,.. can it also provide survival & reproduction for the worm?

I kinda makes me think about the difference between HIV and AIDS.
XP can get aids,... WIn ME and below can host? Indeed waiting for an
official explanation while version c & d boost their ravaging tour
though as it seems,.. the worm only reproduces & freezes systems
without really destroying anything... at the time...
--
Freeware revieuws, honest, no nags
www.NONDISPUTANDUM.com
protect, clean, office, webbuilding
newsfeeds, entertainment, searching
.... & the internet addiction test!