|
Poslao: 03 Maj 2004 09:36
|
offline
- Pridružio: 22 Avg 2003
- Poruke: 787
- Gde živiš: Beograd
|
Worm.Win32.Sasser u dve varijante, za dva dana 
Worm.Win32.Sasser.a
[ 05/02/2004 21:54, GMT +03:00, Moscow ]
Danger : moderate risk
This worm spreads via the Internet using a vulnerability in the Microsoft Windows LSASS service. The vulnerability is described in Microsoft Security Bulletin MS04-011, which can be found at:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm is written in C/C++ using Visual C compiler. It is approximately 15KB in size, and packed using ZiPack.
Propagation
When launching, the worm registers itself in the system registry autorun key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avserve.exe = %WINDIR%\avserve.exe
The worm scans IP addresses, searching for computers which have the vulnerability described in MS04-011. A vulnerable computer will launch the command packet "cmd.exe" on TCP port 9996, and will then accept commands to download and launch copies of the worm.
Downloading is carried out via FTP protocol.
In order to do this the worm launches an FTP server on TCP port 5554 and on request from the victim computer loads a copy of itself. The copy of the worm will be loaded under the name "_up.exe", where "_" is a random number.
Worm.Win32.Sasser.b
[ 05/02/2004 22:14, GMT +03:00, Moscow ]
Danger : moderate risk
This worm spreads via the Internet using a vulnerability in the Microsoft Windows LSASS service. The vulnerability is described in Microsoft Security Bulletin MS04-011, which can be found at:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
The worm is written in C/C++ using Visual C compiler. It is approximately 15KB in size, and packed using ZiPack.
Propagation
When launching, the worm registers itself in the system registry autorun key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avserve2.exe = %WINDIR%\avserve2.exe
The worm scans IP addresses, searching for computers which have the vulnerability described in MS04-011. A vulnerable computer will launch the command packet "cmd.exe" on TCP port 9996, and will then accept commands to download and launch copies of the worm.
Downloading is carried out via FTP protocol.
In order to do this the worm launches an FTP server on TCP port 5554 and on request from the victim computer loads a copy of itself. The copy of the worm will be loaded under the name "_up.exe", where "_" is a random number.
|
|
|
|
|
Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
|
|
|
Poslao: 03 Maj 2004 11:51
|
offline
- Pridružio: 17 Apr 2003
- Poruke: 3989
- Gde živiš: Novi Sad, Vojvodina
|
O falim te boze, najzad jedna stetocina pisana u pravom programskom jeziku a ne u onom isprdku od alata zvanom Visual Basic ili VB...
|
|
|
|
|
|
|
Poslao: 03 Maj 2004 13:10
|
offline
- Peca
- Glavni Administrator
- Predrag Damnjanović
- SysAdmin i programer
- Pridružio: 17 Apr 2003
- Poruke: 23211
- Gde živiš: Niš
|
znaci opet rupa u XP-u, preko kojeg svako moze da ti svrlja po kompu?
lepo...
|
|
|
|
|
|
|
Poslao: 03 Maj 2004 15:30
|
offline
- VladaPUB
- Legendarni građanin
- Pridružio: 20 Apr 2003
- Poruke: 3360
- Gde živiš: Beograd
|
Peca ::znaci opet rupa u XP-u, preko kojeg svako moze da ti svrlja po kompu?
lepo...
Ko zna koja jubilarna rupa u XP-u !
|
|
|
|
|
|
|
Poslao: 03 Maj 2004 22:09
|
offline
- Peca
- Glavni Administrator
- Predrag Damnjanović
- SysAdmin i programer
- Pridružio: 17 Apr 2003
- Poruke: 23211
- Gde živiš: Niš
|
pa valjda druga?
prva je bila RPC...
|
|
|
|
|
|
|
|
|
Poslao: 04 Maj 2004 18:52
|
offline
- ghost
- Novi MyCity građanin
- Pridružio: 15 Apr 2004
- Poruke: 20
- Gde živiš: Letograd
|
Hm... mozda nisam pazljivo pratio akciju, ali cini mi se da virus u stvari koristi vec poznatu rupu, zakrpljenu negde u aprilu (MS04-011):
microsoft.com/technet/security/bulletin/ms04-011.mspx
Sto se tice onih .exe fajlova, oni su malko pomenuti ovde:
us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008
(ne pise Bog zna sta, ali se pominje jos jedan fajl: c:\win2.log)
Meni je stradala samo jedna masina na kojoj sam lukavo iskljucio Windows Update... 
Inace, lep virus. Prvo, siri se bez zagadjivanja mejla i drugo, relativno se lako cisti rucno - Safe Mode, ubijes fajl, ocistis Registry... nema onog efekta "azdaje sa 7 glava", gde kad ubijes jedan .exe sa druge strane te lupi neki .vbs i tako u krug... uskoro ocekujem i kulturnu deinstalaciju iz Add/Remove Programs
|
|
|
|
|
|
|
Poslao: 04 Maj 2004 19:10
|
offline
- Pridružio: 14 Mar 2004
- Poruke: 997
- Gde živiš: Batina, Baranja, Hrvatska, Evropa, Planeta zemlja
|
I znaci sad nek neko napise link za skinit sve to jel ovdje svi pisete tako nerazumljivo za ubit!
Aplauz kako je GoranK to izveo s W32 napisao covjek dva linka i topic closed. Tako treba uradit i ovdje a ne pricat bajke dok ja to sve procitam RESTART!!
btw: "Server is to busy"
Ajde da editujem:
Ahaha eto nama srece mater mu j..... sta mislite sta me srokalo dok sam skido zakrpu, pa necu vam ni rec.
Nego skinio sam neki Stinger sranje za trazenje virusa i naso je dva faila i obriso ih i onda sam instaliro zakrpu WindowsXP-KB835732-x86-ENU.exe.
|
|
|
|
|
|
|
Poslao: 04 Maj 2004 21:05
|
offline
- SVITAC
- Legendarni građanin
- Pridružio: 28 Apr 2003
- Poruke: 5919
- Gde živiš: Beograd
|
Jel pročitao neko prvi post .. sve piše ..
Zakrpa .. update definicija .. čišćenje kompjutera i gotovo ..
Jedino da dodam da na .A verziju nisam još naišao .. .B je prisutnija .. .. ..
|
|
|
|
|
|
|
Poslao: 04 Maj 2004 21:35
|
offline
- Pridružio: 14 Mar 2004
- Poruke: 997
- Gde živiš: Batina, Baranja, Hrvatska, Evropa, Planeta zemlja
|
Pa sta mislis da imam vremena da citam ono gore i jos na engleskom ma super a virus samo ceka kad ce restart btw: i uspio je.
Treba samo stavit link zakrpa, link ciscenje link ovo ono sto vec treba i cao a ne da se gubiomo tu u postovima jel to vrijedi generalno za sve a nevjerujem da samo za mene.
|
|
|
|
|
|
