Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Symantec Update: State of Internet Security -- May 2, 2004

  • 03 May, 2004 11:22

<p>Within recent weeks, several critical vulnerabilities have been disclosed and in some cases, worms and other automated tools have been launched exploiting these vulnerabilities. Exploit code has been made publicly available for all of these vulnerabilities. Most notably, W32.Sasser.B.Worm, which attempts to exploit the LSASS vulnerability, has been impacting systems worldwide. W32.Sasser.B.Worm, rated today by Symantec as a Level 4 threat, spreads by scanning randomly chosen IP addressed for vulnerable system. Currently Symantec Security Response is seeing approximately 150 submissions per hour (see below for more information regarding this threat).</p>
<p>"Over the last several weeks Symantec Security Response has monitored a shift in malicious threat propagation," said Alfred Huger, senior director, Symantec Security Response. "During the first several months of the year, most of the threats we tracked spread through e-mail. However, now we are tracking more threats that are exploiting vulnerabilities to spread. Users need to be diligent in patching systems, updating virus definitions and implementing best practice solutions."</p>
<p>To provide clarity on some of the most recent and significant cyber threat activities, below you'll find a brief update outlining the top three recent vulnerabilities and the malicious threats associated with them.</p>
<p>1. Microsoft Windows LSASS Buffer Overrun Vulnerability/W32.Sasser.B.Worm
The Microsoft Windows LSASS Buffer Overrun Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes. If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc. Exploitation may occur over TCP ports 135, 139, 445, 593 and ports greater than 1024, as well as UDP ports 135, 137, 138 and 445. More information about the LSASS vulnerability can be found at</p>
<p>Symantec recommends users to update their virus definitions to protect against W32.Sasser.Worm and its variant. Symantec Security Response has developed removal tools to clean infections of W32.Sasser.Worm and W32.Sasser.B.Worm. Additionally Symantec recommends blocking TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.</p>
<p>Recent Updates
On May 1, 2004, Symantec Security Response identified a variant of the Sasser worm as a Level 3 threat -- W32.Sasser.B.Worm. On May 2, W32.Sasser.B.Worm was upgraded to a Level 4 threat due to the increased submission rate. Symantec Security Response has tracked 2,234 worldwide submissions, including 23 corporate submissions. Unlike the original Sasser worm, W32.Sasser.Worm is predominately infecting consumer systems. The worm also attempts to exploit the LSASS vulnerability and spreads by scanning randomly chosen IP addresses for vulnerable systems. Additional information on W32.Sasser.B.Worm can be found at
On April 30, 2004, Symantec Security Response identified W32.Sasser.Worm as a Level 3 threat. W32.Sasser.Worm attempts to exploit the MS04-011 vulnerability and spreads by scanning randomly-chosen IP addresses for vulnerable systems. Symantec Security Response tracked 301 worldwide submissions, including 113 corporate submissions. For additional information on W32.Sasser.Worm, visit
Symantec has also identified malicious code based on a Gaobot variant that has been modified to propagate through the Microsoft Windows LSASS vulnerability. Gaobot is a type of Trojan that uses IRC. While not as epidemic as a worm, Gaobot still presents an immediate threat due to it's ability to compromise a wide range of computers. W32.Gaobot.AFW is a Level 1 threat that spreads through open network shares and several Windows vulnerabilities including LSASS. W32.Gaobot.AFW can also spread through backdoors installed by Beagle and Mydoom worms, and the Optix family of backdoors. W32.Gaobot.AFJ is another variant that leverages the Microsoft Windows LSASS vulnerability.</p>
<p>2. Microsoft Private Communications Transport (PCT) Protocol Buffer Overrun Vulnerability/backdoor.mipsiv
The Microsoft PCT Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. The Microsoft PCT vulnerability affects all IIS Web servers running Microsoft IIS with SSL enabled. Windows 2003 servers are not vulnerable unless the PCT protocol has been enabled by the administrator. Symantec recommends users to install the PCT patch immediately. If it is not possible, IT administrators can disable the PCT protocol in the registry. Additionally, vulnerability assessment and intrusion detection systems can be deployed to detect the presence of the vulnerability and/or the presence of the exploit. For more information about this vulnerability:</p>
<p>Recent Updates
On April 28, Symantec identified a new Trojan called backdoor.mipsiv. Backdoor.Mipsiv is a Trojan that performs different backdoor-type functions by connecting to an IRC server and joining a specific channel to listen for instructions. Additionally, the Trojan contains keylogging and network scanning functionalities. Backdoor.Mipsiv uses the same port as the PCT vulnerability.
On April 21, exploit code was made public.</p>
<p>3. Multiple Vendor Transmission Control Protocol (TCP) Sequence Number Approximation Vulnerability
A vulnerability in TCP implementations was reported on April 20, 2004, that may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. This issue may permit TCP sequence numbers to be more easily approximated by remote attackers. This vulnerability is possible because affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial-of-service attacks. An attacker could exploit this issue by sending a packet with an approximated sequence number and forged source IP address and TCP port. The end result would be a disruption of normal Internet traffic.</p>
<p>Internet Service Providers are aware of the TCP flaw and there are a number of mitigation strategies. Among others, IT administrators should turn on IP security (IPSEC) which will allow for sensitive TCP protocol data to be encrypted when transmitted over the wire. While there are serious risks if systems are left unpatched, Symantec feels the majority of the systems should be safe. Additional information can be found at</p>
<p>Recent Update
On April 22 2004, Symantec Security Response confirmed that an exploit has been publicly released for the Transmission Control Protocol (TCP) vulnerability. At this time, there is no evidence of a widespread threat.

Most Popular

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Join the newsletter!

Error: Please check your email address.

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?