Port 445 worm details revealed

After spending the last few days watching portsentry logs for repeat offenders and moving them off to the quarantine VLAN, I finally got the chance to analyze an infected machine when one of Housing’s seldom used (and even less frequently updated) laptops was connected and got infected.

While installing Windows updates (MS04-011, MS04-012, MS04-014, MS04-016, etc) , the user saw an LSASS.EXE error and a shutdown counter started. The updates finished installing before the restart, but it was still infected. After rebooting and updating the McAfee virus scanner from 4387 to 4388 DATs, it detected c:winntsystem32bling.exe as W32/Sdbot.worm, which is what we’ve assume it to be all along.

The exe name seems to be pretty random, though one of the more common ones we’ve seen is winsmc.exe. Another recent virus that exhibits similar behavior is W32/Sasser.worm.g, so we are probably seeing some of that as well.

I can pretty much narrow down the exploit to using something that is patched in MS04-011, 012, or 014, as I have another laptop that has those patches, but nothing later and has not been infected. Most likely MS04-011, with the LSASS fixes. Since all these patches are from April of this year, the moral of the story is to visit Windows Update on a regular basis, or turn on Automatic Updates if you are on a high speed connection.