seems as if w32.blaster is sort of having a descendant...
W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in
Microsoft Security Bulletin MS04-011. This worm spreads by scanning randomly selected IP addresses of vulnerable systems.
When W32.Sasser.B.Worm runs, it does the following:
Attempts to create a mutex named JumpallsNlsTillt and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.
Attempts to create a mutex named Jobaka3. This mutex does not serve any apparent purpose.
Copies itself as %Windir%\Avserve2.exe.
--------------------------------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
--------------------------------------------------------------------------------
Adds the value:
"avserve2.exe"="%Windir%\avserve2.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs when you start Windows.
Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer.
Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
Iterates through all the host IP addresses, looking for addresses without any of the following:
127.0.0.1
10.x.x.x
172.16.x.x - 172.31.x.x (inclusive)
192.168.x.x
169.254.x.x
Using one of these IP addresses, the worm then generates a random IP address.
52% of the time, the IP address is completely random.
23% of the time, the last three octets are changed to random numbers.
25% of the time, the last two octets are changed to random numbers.
--------------------------------------------------------------------------------
Notes:
An octet is an 8-bit section of an IP address. For example, if A.B.C.D is an IP address, A is the first octet, B is the second, C is the third, and D is the fourth.
Because the worm can create completely random addresses, any IP range can be infected.
This process is composed of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.
--------------------------------------------------------------------------------
Connects to the randomly generated IP address on TCP port 445 to determine whether a remote computer is online.
If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.
Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.
The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.
Creates a file at C:\win2.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.
----------------------------------------------------------
W32.Sasser.B.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly run, including our removal tool. (On Windows 95/98/Me computers, the tool should be run in Safe mode
------------------------------------------------------------
to remove the worm from your xp/2000-system:
1.get the removal tool from
securityresponse.symantec.com/avcenter/FxSasser.exe2. get MS latest patch
www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en3. disconnect from the internet
4. run the removal tool
5. run the microsoft patch
6. restart. likely u need to repair your registry after your sys has been cleaned. follow symantec's instructions @
securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html#removalinstructions