Warning - Sasser Worm not detected by Norton

[BernardStewart]

We have all the latest downloads and run a nightly full system scan using Norton Internet Security Professional. Nothing was detected but yesterday detected but we had a Mailer-Daemon returned email from an unknown person at a client corporation. I had not emailed this unknown person. The content of the email (no attachment) was gobbledygook but we managed to decipher a reference to a file "3D Text.scr". Doing an internet search led me on a trail which implied it might be a Sasser Worm.

I could find nothing in the Norton Knowledge Base about this. I went to the McAfee site and downloaded one of their Sasser removal tools. It detected and removed the virus named "W32/Mydoom.a.eml!exevirus!!!" This virus was listed on their site as being detected on 16/6/2004!

I recommend that if you are a business you contact your IT manager to ensure that your anti-virus scanner can detect and remove this virus.

If you are using your own PC you might want to download the Mcafee Sasser virus removal tool. It can be found at the following link:-

http://vil.nai.com/vil/stinger/

 

[Wishdiak]

BernardStewart,

Usually a mailer-daemon bounce message indicates that a message was sent from an infected computer with a random address from that computer's address book as the sender.

The W32.Mydoom.A@mm virus was discovered by Symantec on January 26, 2004 and included in virus definitions dated January 26, 2004 and later.

Symantec does provide a removal tool, as well as detailed information about the threat on their web site.

Wishdiak
A+, Network+, Security+, MCSA: Security 2003

http://www.wishdiak.com

 

[LloydSev]

just do you know... Mydoom and Sasser are not the same virus.

W32.Mydoom.B@mm is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm will set up a backdoor into the system, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

In addition, the backdoor can download and execute arbitrary files.

The worm will perform a Denial of Service (DoS) against

http://www.microsoft.com

starting February 3, 2004 and

http://www.sco.com

starting February 1, 2004. It also has a trigger date to stop spreading on March 1, 2004. These events will only occur if the worm is run between or after those dates. While the worm will stop spreading on March 1, 2004, the backdoor component will continue to function after this date.

W32.Sasser.Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning the randomly selected IP addresses for vulnerable systems.
Note: The vulnerability described is LSASS

Computer/Network Technician
CCNA

 

[LloydSev]

I noticed your version was mydoom.a

Due to a decreased rate of submissions, Symantec Security Response has downgraded this threat from a Category 3 to a Category 2 rating as of March 30, 2004.

W32.Mydoom.A@mm (also known as W32.Novarg.A) is a mass-mailing worm that arrives as an attachment with the file extension .bat, .cmd, .exe, .pif, .scr, or .zip.

When a computer is infected, the worm sets up a backdoor into the system by opening TCP ports 3127 through 3198, which can potentially allow an attacker to connect to the computer and use it as a proxy to gain access to its network resources.

In addition, the backdoor can download and execute arbitrary files.

There is a 25% chance that a computer infected by the worm will perform a Denial of Service (DoS) on February 1, 2004 starting at 16:09:18 UTC, which is also the same as 08:09:18 PST, based on the machine's local system date/time. If the worm does start the DoS attack, it will not mass mail itself. It also has a trigger date to stop spreading/DoS-attacking on February 12, 2004. While the worm will stop on February 12, 2004, the backdoor component will continue to function after this date.

Computer/Network Technician
CCNA