hey guys

We (just like a lot of companies) got caught sleeping. We were hit yesterday by the sasser virus. Most of our machines have the MS security patch now and are protected. We have found that if we take a machine off the network (physically) it will not do the reboot. Leads me to believe that some infected machine on the network is broadcasting somesort of shutdown command to the rest. Is this what I have read about "broadcasting over port 5544". Is there a way that I could find on our network what machine is doing this broadcast to the others? Mind you we do not have a sniffer in place.

Thanks in advace.

What happens when sasser hits it overflows some buffer inside LSASS.exe. This overflow is exploitable. A side effect of this overflow is the crashing of LSASS. Because LSASS is an important process for windows, windows decides to shutdown.

As for detecting sasser look for large amounts of ICMP traffic. An infected machine will try to ping a host before attempting to infect.

Download and install a sniffer. TCPDUMP (http://www.tcpdump.org) is the more common version for *nix installs and WinDUMP (http://windump.polito.it/) is the version for Windows (both are Open Source). These, IMO, would be the easiest solution and fastest. You could also go for the graphical version by installing Ethereal (http://www.ethereal.com) (available both in windows and *nix format).

Alternatives would be to have an IDS up and running to detect attacks within the network. This would be more a long term solution. A look at SNORT (http://www.snort.org) would probably help.

A very easy way to find infected hosts (notice I didn't say vulnerable) is to DL Angry IP Scanner and search your subnets for machines with ports 5554, 9995 and 9996 TCP open. You can then clean them, patch them and move on to better things.

http://www.angryziber.com/ipscan/

If I remember well, Sasser infect Win Xp machine but only crash Windows 2000 without infecting them.

We have found that if we take a machine off the network (physically) it will not do the reboot

Those are Windows 2000 machine?

The reason Win2k (or XP for that matter) stops crashing when you remove it from the network is because LSASS is no longer being attacked by the worm.

Win2K machines certainly will become infected if you don't have the current AV signature for whichever AV product that you use.

Machines (XP and W2K) reboot if:

You don't have MS04-011 but you do have an AV signature capable of spotting the worm.

Machines (XP and W2K) become infected if:

You don't have MS04-011 and you don't have an AV signature capable of spotting the worm.