Hot dam, can't wait to get to work and try this on our network! <|>--__--__-- <|> <|>Message: 19 <|>From: Shashank Rai <[EMAIL PROTECTED]> <|>Reply-To: [EMAIL PROTECTED] <|>To: [EMAIL PROTECTED] <|>Organization: Etisalat NIS <|>Date: Tue, 04 May 2004 11:40:12 +0400 <|>Subject: [Full-Disclosure] Catching Sasser <|> <|>Hi all, <|>for people who did have not the priviledge of getting infected with <|>sasser ;) because of firewall/AV/patch or they are smart enough to use <|>Linux (like me.... hey now no flame war on this *please*), here is a <|>simple way to catch sasser: <|> <|>Step 1:Scanning for infected machines (from a Linux box): <|>--------------------------------------------------------- <|>Get doscan from:http://www.enyo.de/fw/software/doscan/ <|> <|>compile n run: <|># doscan -A 50 -b 512 -c 100 -i -p 5554 -P tcp -r "200 OK$" -v <IP <|>RANGE> <|> <|>This will give you list of infected machines. <|> <|>Step Two: Getting the virus <|>--------------------------- <|>Copy the following set of commands into a file (or type them from ftp <|>prompt): <|>---------ftp_commands------ <|>open <infected m/c IP> 5554 <|>anonymous <|>user <|>bin <|>get 7584_up.exe <|>bye <|>---------------------- <|>then from cmd prompt of your *windows* machine, run: <|> <|>c:\>ftp -s:ftp_commands <|> <|>This will fetch you a copy of the virus as 7584_up.exe. <|>The ftp_commands, actually logs into the ftp server of sasser on port <|>5554 of the infected machine with username "anonymous" and password <|>"user", and then issues a PORT command to download the virus. <|> <|>==================== <|>PS: USE THESE SET OF INSTRUCTIONS AT YOUR OWN RISK!!!! By EXECUTING THE <|>DOWNLOADED FILE YOU WILL INFECT YOUR SYSTEM. <|> <|>In case you are running any AV with real-time protection features, it <|>should immediately detect the virus!!! <|> <|>cheers, <|>-- <|>Shashank Rai <|>------------ <|>Network and Information Security Team, <|>Emirates Telecommunication Corporation, <|>Abu Dhabi, U.A.E. <|>Ph: +971-2-6182523 Office <|> +971-50-6670648 Cell <|>GPG key: <|>http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindex&search=0x01B7947402 <|>6E36F5 <|> <|> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html