NUEVO VIRUS BOBAX QUE UTILIZA EL AGUJERO LSASS (MS04-011)

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVO VIRUS BOBAX QUE UTILIZA EL AGUJERO LSASS (MS04-011)

Mensaje por msc hotline sat » 17 May 2004, 16:46

Están de moda los virus que aprovechan el agujero del descobradmiento de buffer del LSASS; empezando por los SASSER, siguiendo por el Cycle, luego por el Kibuv y ahora los BOBAX



Ya ahora ante dos nuevas variantes de un mismo virus, BOBAX, si bien todavía no hemos tenido incidencias, se recomenda la actualizacion de los parches de microsoft a todas las máquinas con sistemas operativos de tecnología NT (XP y W2000), aunque cada día son menos los ordenadores sin actualizar los parches, se recomienda especialmente hacerlo a la vista de que este agujero está siendo usado cada vez mas por nuevos virus.



Relacion de virus conocidos hasta la fecha que usan esta vulnerabilidad LSASS (parche MS04-011(:



SASSER A, B, C, D, E , F y G



CYCLE A, B



KiBuV, A, B



BOBAX



Con todos ellos, aplicando los parches se impide su entrada (especialmente el MS04-011) y en nuestra utilidad ELILSA.EXE vamos acumulando las eliminaciones correspondientes.



Para el nuevo BOBAX adelantamos la descripcion de McAfee, pudiendose controlar desde ahora conn los DATS diarios, ejecutando el SDATDAILY.EXE.



__________________________________________



Virus Name Risk Assessment

W32/Bobax.worm.a Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 05/17/2004

Origin: Unknown

Length: 20,480 bytes (EXE)

17,920 bytes (DLL)

Type: Virus

SubType: Internet Worm

Minimum DAT: 4361 (05/19/2004)

Updated DAT: 4361 (05/19/2004)

Minimum Engine: 4.2.40

Description Added: 05/17/2004

Description Modified: 05/17/2004 7:28 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

This self-executing worm spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)].



Note: Users should install the Microsoft update to be protected from the exploit used by this worm. See:



http://www.microsoft.com/en/us/default.aspxtechnet/security/bulletin/MS04-011.mspx

The worm spreads with a random filename. When run, it drops a DLL which it injects into the EXPLORER.EXE process. The DLL contains the main worm's functionality.



Top of Page



Symptoms

The virus copies itself to the %SysDir% directory using a random filename. It adds a Registry key in order to load itself at system startup:



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Run "(random string)" = %SysDir%\(random filename).exe

(Where %SysDir% is the System directory, for example: C:\WINDOWS\SYSTEM32.)



When executed, the worm executable drops a DLL into the temporary directory, and injects the DLL into the EXPLORER.EXE process. A side effect of this injection is that EXPLORER.EXE may unexpectedly terminate on the victim machine.



Another side effect of this worm is that LSASS.EXE may crash on attacked machines. By default such a system will reboot after the crash occurs. The following Window may be displayed:



Top of Page



Method Of Infection

Initial analysis suggests the worms scans IP ranges looking for exploitable machines. If found, a buffer in LSASS.EXE is overflowed in order to create a remote shell. Then the worm is downloaded from the attacking host via HTTP.



Please note - this worm is still under analysis and description will be updated once complete.



Top of Page



Removal Instructions

Detection and removal is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.





__________________________________________

saludos



ms, 17-05-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”