W32/Sasser-F

Discussion in 'malware problems & news' started by Marianna, May 11, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    Worm.Win32.Sasser.a, W32.Sasser.Worm, W32/Sasser.worm.f

    Type
    Win32 worm

    Description
    W32/Sasser-F is a network worm which spreads by exploiting a Microsoft
    LSASS vulnerability.
    The worm copies itself to the Windows folder as NAPATCH.EXE and sets the
    following registry entry to auto-start on user logon:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    nvpatch = napatch.exe

    W32/Sasser-F attempts to connect to random IP addresses on ports TCP/445
    and TCP/9996 and then exploit the LSASS vulnerability. If successful an FTP
    script is uploaded to and executed on the remote computer which then connects back on port 5554 to download a copy of the worm via FTP.

    W32/Sasser-F may cause the program LSASS.EXE to terminate which generally
    prompts Windows to shutdown and reboot. However W32/Sasser-F attempts to prevent a system shutdown.

    http://www.sophos.com/virusinfo/analyses/w32sasserf.html
     
    Marianna, May 11, 2004
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...