Da qualche giorno sta circolando questo virus che disattiva Norton Antivirus e al riavvio del PC presenta questo errore:
W32.Sasser.Worm is a worm that attempts to exploit the MS04-011 vulnerability. It spreads by scanning randomly-chosen IP addresses for vulnerable systems.
Systems Affected: Windows 2000, Windows Server 2003, Windows XP
Systems Not Affected: Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 95, Windows 98, Windows Me, Windows NT
Dettagli tecnici (presi dal sito di Norton):
When W32.Sasser.Worm runs, it does the following:
1. Attempts to create a mutex called Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
2. Copies itself as %Windir%\avserve.exe. (* avserve2.exe nel caso della variante B)
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
3. Adds the value:
"avserve.exe"="%Windir%\avserve.exe" (* come sopra)
to the registry key:
so that the worm runs when you start Windows.
4. Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.
5. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
6. Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
The IP addresses generated by the worm are distributed as follows:
+ 50% are completely random
+ 25% have the same first octet as the IP address of the infected host
+ 25% have the same first and second octet as the IP address of the infected host.
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.