When W32.Sasser.B.Worm runs, it does the following: 1. Attempts to create a mutex named JumpallsNlsTillt and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time. 2. Attempts to create a mutex named Jobaka3. This mutex does not serve any apparent purpose. 3. Copies itself as %Windir%\Avserve2.exe. Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. 4. Adds the value: "avserve2.exe"="%Windir%\avserve2.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the worm runs when you start Windows. 5. Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer. 6. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts. 7. Retrieves the IP addresses of the infected computer, using the Windows API, gethostbyname. Note: The worm will ignore any of the following IP addresses: * 127.0.0.1 * 10.x.x.x * 172.16.x.x - 172.31.x.x (inclusive) * 192.168.x.x * 169.254.x.x 8. Generates another IP address, based on one of the IP addresses retrieved from the infected computer. * 25% of the time, the last two octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, C and D will be random. * 23% of the time, the last three octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 7, B, C, and D will be random. * 52% of the time, the IP address is completely random. Notes: * Because the worm creates completely random addresses 52% of the time, any IP address can be infected, including those ignored in step 7. * This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable. 9. Connects to the generated IP address on TCP port 445 to determine whether a remote computer is online. 10. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996. 11. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe. 12. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute. 13. Creates a file at C:\win2.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers. Before you begin: If you are running Windows 2000 or XP, and have not yet done so, you must patch for the vulnerability described in Microsoft Security Bulletin MS04-011. If you do not, it is likely that your computer will continue to be re-infected. What to do if the computer shuts down before you can patch or get the tool This threat can cause Windows to keep shutting down and restarting. This can prevent you from installing the Microsoft patch or downloading the tool described below. To prevent the shut down, do the following. (You may have to try this several times, as you only have about 20 seconds to do steps 3 to 6.) (This will not work on Windows 2000.) 1. Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.) 2. Restart the computer. 3. As soon as Windows opens and you see the Windows desktop, click Start > Run. 4. Type: cmd and press Enter. 5. Type: shutdown -i and press Enter. 6. In the Remote Shutdown Dialog that opens, do the following: Click Add and type your computer name into the appeared window. Then click OK. In the "Display warning for Seconds" field, type 9999 in place of the default value of 20. Type any message in the Comment box. Click OK. 7. Reconnect the network/Internet connection. 8. Connect to the Internet, and get the patch. Then continue with the steps described below. This gives you about three hours to get the patch installed, update the definitions, and so on. When you have patched for and removed the threat, you can re-enable the 20-second default warning if you want to. To reverse the change made to the registry WARNING: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions. 1. Click Start, and then click Run. (The Run dialog box appears.) 2. Type regedit Then click OK. (The Registry Editor opens.) 3. Navigate to the key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run 4. In the right pane, delete the value: "avserve2.exe"="%Windir%\avserve2.exe" 5. Exit the Registry Editor.