Full Disclosure mailing list archives
Catching Sasser
From: Shashank Rai <shash () etisalat-nis ae>
Date: Tue, 04 May 2004 11:40:12 +0400
Hi all, for people who did have not the priviledge of getting infected with sasser ;) because of firewall/AV/patch or they are smart enough to use Linux (like me.... hey now no flame war on this *please*), here is a simple way to catch sasser: Step 1:Scanning for infected machines (from a Linux box): --------------------------------------------------------- Get doscan from:http://www.enyo.de/fw/software/doscan/ compile n run: # doscan -A 50 -b 512 -c 100 -i -p 5554 -P tcp -r "200 OK$" -v <IP RANGE> This will give you list of infected machines. Step Two: Getting the virus --------------------------- Copy the following set of commands into a file (or type them from ftp prompt): ---------ftp_commands------ open <infected m/c IP> 5554 anonymous user bin get 7584_up.exe bye ---------------------- then from cmd prompt of your *windows* machine, run: c:\>ftp -s:ftp_commands This will fetch you a copy of the virus as 7584_up.exe. The ftp_commands, actually logs into the ftp server of sasser on port 5554 of the infected machine with username "anonymous" and password "user", and then issues a PORT command to download the virus. ==================== PS: USE THESE SET OF INSTRUCTIONS AT YOUR OWN RISK!!!! By EXECUTING THE DOWNLOADED FILE YOU WILL INFECT YOUR SYSTEM. In case you are running any AV with real-time protection features, it should immediately detect the virus!!! cheers, -- Shashank Rai ------------ Network and Information Security Team, Emirates Telecommunication Corporation, Abu Dhabi, U.A.E. Ph: +971-2-6182523 Office +971-50-6670648 Cell GPG key: http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Unpacking Sasser, (continued)
- Re: Unpacking Sasser IndianZ (May 02)
- Re: Unpacking Sasser Byron Copeland (May 02)
- Re: Unpacking Sasser Andrew Ruef (May 02)
- Re: Unpacking Sasser - (May 02)
- Re: Unpacking Sasser Lee (May 02)
- Re: Unpacking Sasser Nick FitzGerald (May 02)
- Re: Unpacking Sasser Lee (May 03)
- Determinig VMWare environment (was: Unpacking Sasser) Spiro Trikaliotis (May 03)
- Re: Determinig VMWare environment (was: Unpacking Sasser) Lee (May 03)
- Re: Unpacking Sasser Gary E. Miller (May 03)
- Catching Sasser Shashank Rai (May 04)
- Re: Unpacking Sasser - (May 02)
- Re: Unpacking Sasser IndianZ (May 02)