Paris
4 May 2004, 13:36
Net proffesionals now detect a new worm: it is called "Sasser", "Sasser.A", "Sasser.B", "Sasser.C", "Sasser.D".
For all WINDOWS O/S users: The vulnerability used by Sasser is caused by a buffer overrun in the Windows' Local Security Authority Subsystem Service, and will affect all machines that are:
- Running Windows XP or Windows 2000
- Haven't been patched against this vulnerability
- Are connected to the internet without a firewall
It scans random IP addresses, targeting TCP port 445.
After infection it opens a shell that listens on TCP port 9996.
And then downloads the actual worm code through a FTP connection at TCP port 5554.
The REMOVAL TOOLS are locating in the following IP addreses:
1) http://securityresponse.symantec.com/avcenter/FxSasser.exe (Symantec/Norton Antivirus)
2) http://www.f-secure.com/tools/f-sasser.exe (F-Secure)
Please use them immediately and don't forget to visit Microsoft's webpage for the latest reviews and WINDOWS UPDATE Center.
For all WINDOWS O/S users: The vulnerability used by Sasser is caused by a buffer overrun in the Windows' Local Security Authority Subsystem Service, and will affect all machines that are:
- Running Windows XP or Windows 2000
- Haven't been patched against this vulnerability
- Are connected to the internet without a firewall
It scans random IP addresses, targeting TCP port 445.
After infection it opens a shell that listens on TCP port 9996.
And then downloads the actual worm code through a FTP connection at TCP port 5554.
The REMOVAL TOOLS are locating in the following IP addreses:
1) http://securityresponse.symantec.com/avcenter/FxSasser.exe (Symantec/Norton Antivirus)
2) http://www.f-secure.com/tools/f-sasser.exe (F-Secure)
Please use them immediately and don't forget to visit Microsoft's webpage for the latest reviews and WINDOWS UPDATE Center.