i have a question about the sasser hole,
how does it work???????????
and what does it use to get in unpatched win xp computer??
Printable View
i have a question about the sasser hole,
how does it work???????????
and what does it use to get in unpatched win xp computer??
I think that is a bit personal.. sasser will be mostly upset by people asking about his hole...
or
do you mean to ask about the Vulenerability in the LSass service in Windows XP?
You set up a carefully crafted packet.. it crashes the Unpatched Lsass service..
your packet opens a little door for you to drop a little bit of code
and hopefully before the system is shutdown.. your code is safely inside the victems machine
and in the Sasser worms case.. another copy of sasser ready to infect another group of boxes..
old hat crap now..
there are several other nastier Malware using that vulenerability now..
and a number of sites that describe in detail how it all works.. a careful use of a web search site like www.google.com will help you track these well written articals for your enjoyable reading..
But before you go.. I would recommend a search of the security tutorials on this site.. there will be a story or 2 in there regarding Sasser..then have a look throiugh the Microsoft Security forums, even the Antivirus forums..
Lots to read.. see ya later
oh and welcome to AO..
Cheers
It spreads by scanning IP addresses for vulnerable systems through ftp port 5554.
It then creates a value: "avserve.exe"=%windows%\avserve.exe in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
By Microsofts admission though, the patch they released to protect against it can render some systems unbootable!
Question..Rachid
Your web page.. what is the purpose of distributing the source code of viruses?
mind these seem to be oldies, lets see stoned.. ahh those were the days.. jerusalem..mmmm the media loved it .. and who can forget michangelo... oldies.. but goodiees.. classics
pity you didn't do the disassembly your self..
Quote:
Downloaded From P-80 International Information Systems
as that is all you have there.. are you planning upgrading the site in any way like providing your own?
thank you all very much for helping me now i know why this website is so important
¿ ? ¿ :confused: ¿ ? ¿Quote:
Originally posted here by Nokia
It spreads by scanning IP addresses for vulnerable systems through ftp port 5554.
Last I remember thats one of it's backdoors that it drops onto the system. An ftp server I beleave. But... It actually propogates though a stack-overflow (LSASS MS-RPC vulnerability). Im not sure but it may use this to upload itself but as I mentioned before this would only happen some time after the initial exploitation.
The worm itself had its flaws which lead to another worm that propogated through a buffer overflow in the worm itself or maybe it was one of the trojans it drops I beleave. I beleave this may be what he was reffering to.
hi thank you all
and i would like to answer the member UND3RTAK3R :
i changed my website to www.geocities.com/mlink_v1
please check it but don't critisize me because i'm still building it