Hi all, for people who did have not the priviledge of getting infected with sasser ;) because of firewall/AV/patch or they are smart enough to use Linux (like me.... hey now no flame war on this *please*), here is a simple way to catch sasser:
Step 1:Scanning for infected machines (from a Linux box): --------------------------------------------------------- Get doscan from:http://www.enyo.de/fw/software/doscan/ compile n run: # doscan -A 50 -b 512 -c 100 -i -p 5554 -P tcp -r "200 OK$" -v <IP RANGE> This will give you list of infected machines. Step Two: Getting the virus --------------------------- Copy the following set of commands into a file (or type them from ftp prompt): ---------ftp_commands------ open <infected m/c IP> 5554 anonymous user bin get 7584_up.exe bye ---------------------- then from cmd prompt of your *windows* machine, run: c:\>ftp -s:ftp_commands This will fetch you a copy of the virus as 7584_up.exe. The ftp_commands, actually logs into the ftp server of sasser on port 5554 of the infected machine with username "anonymous" and password "user", and then issues a PORT command to download the virus. ==================== PS: USE THESE SET OF INSTRUCTIONS AT YOUR OWN RISK!!!! By EXECUTING THE DOWNLOADED FILE YOU WILL INFECT YOUR SYSTEM. In case you are running any AV with real-time protection features, it should immediately detect the virus!!! cheers, -- Shashank Rai ------------ Network and Information Security Team, Emirates Telecommunication Corporation, Abu Dhabi, U.A.E. Ph: +971-2-6182523 Office +971-50-6670648 Cell GPG key: http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B79474026E36F5 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
