ÇØÄ¿Áî´º½º / ÇØÄ¿´ëÇÐ

Donation bitcoin(±âºÎ¿ë ºñÆ®ÄÚÀÎ ÁÖ¼Ò)

¡¡
1Pq3K39XM5xx4CifGKgppXeavtWNNHH7K4
¡¡
±âºÎÇϽŠºñÆ®ÄÚÀÎÀº "º¸¾È Ãë¾à °èÃþ"À» À§ÇØ »ç¿ëµÇ°í ÀÖ½À´Ï´Ù.
¡¡
¡¡

Donation bitcoin(±âºÎ¿ë ºñÆ®ÄÚÀÎ ÁÖ¼Ò)

¡¡
1Pq3K39XM5xx4CifGKgppXeavtWNNHH7K4
¡¡
±âºÎÇϽŠºñÆ®ÄÚÀÎÀº "º¸¾È Ãë¾à °èÃþ"À» À§ÇØ »ç¿ëµÇ°í ÀÖ½À´Ï´Ù.
¡¡

°øÁö

¡¡

1. MS ¿§Áö ºê¶ó¿ìÀú¿¡¼­ÀÇ °æ°íâÀº 'À©µµ¿ì µðÆæ´õ'¸¦ ²ô½Ã¸é µË´Ï´Ù.

             'À©µµ¿ì µðÆæ´õ ²ô±â'

2. Å©·Ò ºê¶ó¿ìÀú·Î Á¢¼Ó½Ã ³ª¿À´Â ¾Ç¼ºÄÚµå °æ°íâÀº ±¸±Û Å©·ÒÀÇ ¿¡·¯, Áï ¿ÀŽ(ŽÁö ¿À·ù)À̹ǷΠ¹«½ÃÇÏ½Ã¸é µË´Ï´Ù.

3. ÀÌ »çÀÌÆ®´Â ¾ÈÀüÇÏ¸ç ±ú²ýÇÏ´Ù´Â °ÍÀ» ¾Ë·Á µå¸³´Ï´Ù.

4. ¹«°íÇÑ »çÀÌÆ®µé¿¡ ´ëÇÑ °ø·æ ±â¾÷ ºê¶ó¿ìÀúµéÀÇ ¹«Â÷º°ÀûÀÎ 'ŽÁö ¿À·ù ȾÆ÷'°¡ »ç¿ëÀÚµéÀÇ Á¤º¸ °øÀ¯ÀÇ ÀÚÀ¯¸¦ ħÇØÇÏ°í ÀÖ½À´Ï´Ù. ÀÌ¿¡ ´ëÀÀÇÏ¿© ÀÌ ±â¾÷µéÀ» »ó´ë·Î ¼Ò¼ÛÀ» ÁغñÇÏ°í ÀÖ½À´Ï´Ù.

¡¡



ÇØÄ¿Áî´º½º Á¦°ø ¹ÙÀÌ·¯½º °æº¸
2004/6/11(±Ý)
Sasser.G º¯Á¾ ¿ú  
¹ÙÀÌ·¯½º/¿ú ¸íĪ : Sasser.G º¯Á¾ ¿ú
¹ß·ÉÀϽà : 6¿ù11ÀÏ
¹ÙÀÌ·¯½º À¯Çü : ¿ú
À§Çèµµ : »ó
ÇØ´ç½Ã½ºÅÛ : À©µµ
W32.Sasser.G is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly selected IP addresses for vulnerable systems. The worm's function is identical to that of W32.Sasser.E.Worm, but W32.Sasser.G contains an extra PE file section, which is 1 byte in size and appears to have no function. W32.Sasser.G differs from W32.Sasser.Worm as follows:

Uses a different mutex: SkynetNotice.
Uses a different file name: lsasss.exe.
Creates a different value in the registry: "lsasss.exe"
Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
After 2 hours of running it displays a message.
It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
The name of the file retrieved from the FTP server is followed by _update.exe.
The worm logs data into the file C:\ftplog.txt.
Has an updated routine for finding vulnerable computers. W32.Sasser.G sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.

W32.Sasser.G can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable computers.


Also Known As:  Worm.Win32.Sasser.d(AVP), W32/Sasser.E.worm(RAV)
Variants:  W32.Sasser.Worm
Type:  Worm
Infection Length:  15,873 bytes
 
 
 
Systems Affected:  Windows 2000, Windows XP
Systems Not Affected:  DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT

=====

When W32.Sasser.G runs, it does the following:


Attempts to create a mutex named SkynetNotice and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.


Copies itself as %Windir%\lsasss.exe.


--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------


Adds the value:

"lsasss.exe"="%Windir%\lsasss.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Deletes the values:

"ssgrate.exe"
"drvsys.exe"
"Drvddll_exe"

from the registry key:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


--------------------------------------------------------------------------------
Note: The deleted values are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
--------------------------------------------------------------------------------


Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer. The worm calls this API every second during the first two hours it runs. Then, it displays the message with the following text:

1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website
4. This is an message from the SkyNet Team for malicious activity prevention


Starts an FTP server on TCP port 1023. This server is used to spread the worm to other hosts.


Retrieves the IP addresses of the infected computer, using the Windows API, gethostbyname.


--------------------------------------------------------------------------------
Note: The worm will ignore any of the following IP addresses:
127.0.0.1
10.x.x.x
172.16.x.x - 172.31.x.x (inclusive)
192.168.x.x
169.254.x.x
--------------------------------------------------------------------------------


Generates another IP address, based on one of the IP addresses retrieved from the infected computer.

25% of the time, the last two octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, C and D will be random.
23% of the time, the last three octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, B, C, and D will be random.
52% of the time, the IP address is completely random.


--------------------------------------------------------------------------------
Notes:
Because the worm creates a completely random addresses 52% of the time, any IP address can be infected, including those ignored in step 7.
This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.
--------------------------------------------------------------------------------


Attempts to ping the remote address, and if successful, connects on TCP port 445 to determine whether a remote computer is online.


If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 1022.


Uses the shell on the remote computer to connect back to the infected computer's FTP server, running on TCP port 1023, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _upload.exe. For example, 74354_upload.exe.


The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the computer in one minute.


Creates a file at C:\ftplog.txt that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.

                    ´äº¯/°ü·Ã ¾²±â Æû¸ÞÀÏ ¹ß¼Û
NoI¢ÆN¢ÆD¢ÆE¢ÆXDate
213   Sober.H º¯Á¾ Æ®·ÎÀÌ 2004/06/15
212   Ascetic.A Æ®·ÎÀÌ °æº¸ 2004/06/13
211   Sasser.G º¯Á¾ ¿ú 2004/06/11
210   Dingsta.A Æ®·ÎÀÌ 2004/06/09
209   Startpage.E Æ®·ÎÀÌ 2004/06/07
208   Gaobot.AOL º¯Á¾ ¿ú 2004/06/05
207   Korgo.G º¯Á¾ ¿ú 2004/06/04
206   Korgo.E º¯Á¾ ¿ú 2004/06/02

 
óÀ½ ÀÌÀü ´ÙÀ½       ¸ñ·Ï