Sasser Worm Local Security Authority (LSA) exploit
There is a buffer overrun vulnerability in the service-wrapper Lsass.exe. By default the service-wrapper listens on port 139 and 445, so when sending a special crafted message to one of these ports, then it is possible to execute malicious commands within the context of the service-wrapper.
The following operating systems has this security hole: - Windows 2000 SP1, SP2, SP3, SP4
- Windows XP SP1
This means that after having made a clean install of Windows 2000/XP, and one connects to the Internet without a firewall activated, then one is vulnerable to attacks. The Sasser worm is the most common attacker.
More Info SecurityFocus.com (Exploit sample code)
Exploit side effects:
The service wrapper Lsass.exe is vital for the operation of Windows, so when vulnerable to attacks then it might crash and cause Windows to shutdown. One of the following messages are usually shown when the Lsass.exe crashes:
*LSASS has terminated, the system is going to shutdown in 60 seconds…
Faulting application lsass.exe, version 5.1.2600.1106, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
The error: “C:\Windows\system32\lsass.exe terminated unexpectantly with status code - 1073741819”
LSA Shell (Export Version) has encountered a problem and needs to close. We are sorry for any inconvience.
The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. The shutdown was initiated by NT Authority\SYSTEM.
The system process “C:\winnt\system32\lsass.exe’ terminated unexpectedly with status code 128. The system will now shutdown and restart.*
The result of the attacks is usually that the system becomes infected with a virus, which take control of the CPU and the Internet bandwidth, and it is then used for attacking other machines on the Internet.
Solution to prevent exploit:
- Consider enabling a firewall to prevent future attacks (Like Windows XP Firewall)
- Download and install the Microsoft patch MS04-011 Security Update for Microsoft Windows (835732).
- If unable to install the patch in normal mode, then boot in safemode and install it.
- If installing the patch in safemode, then remember to reinstall the patch afterwards in normal mode. More Info MS KB818460
- Download the newest virus database for your existing AntiVira Scanner and scan or use housecall.antivirus.com. (If using WinXP remember to turn off System Restore temporarily)
- Microsoft have created their own Microsoft Windows Malicious Software Removal Tool (MS KB890830) because newly installed systems are easily infected. (Replaces MS KB841720)
- McAfee have updated their Stinger to handle the most common infections caused by this exploit
- Check Windows Update to see if there are other critical patches for your system
Note to stop WinXP/Win2k3 from shutting down within 60 secs (Will give time to download and install patch), press the Start-button and Run… this command:
Note it is possible to block the attacks without installing the patch by doing one of the following:
- Create an empty readonly file called “dcpromo.log” in %systemroot%\debug (Ex. C:\WinNT\Debug) by executing these two commands (Press Start-Button and Run…)
cmd /c type nul > %systemroot%\debug\dcpromo.log
attrib +R %systemroot%\debug\dcpromo.log
- Disable nbt.sys and block port 139 and 445
More information about the LSA attackers:
- W32.Sasser.Worm (avserve.exe)
- W32.Sasser.B.Worm (avserve2.exe)
- W32.Sasser.C.Worm (?????_up.exe ex. 12345_up.exe)
- W32.Sasser.D.Worm (skynetave.exe)
- W32.Sasser.E.Worm (lsasss.exe)
- W32.Sasser.F.Worm (napatch.exe)
- W32.Sasser.G.Worm (lsasss.exe)
- W32.Gaobot.AFC (wmiprvsw.exe)
- W32.Gaobot.AFJ (msiwin84.exe)
- W32.Gaobot.AFW (hkey.exe)
- W32.Gaobot.AJD (wauclt.exe)
- W32.Korgo.A (Random Filename)
- W32.Korgo.B (Random Filename)
- W32.Korgo.C (Random Filename)
- W32.Korgo.D (Random Filename)
- W32.Korgo.E (Random Filename)
- W32.Korgo.F (Random Filename)
- W32.Korgo.G (Random Filename)
- W32.Korgo.H (Random Filename)
- W32.Korgo.I (Random Filename)