WORM_SASSER.D

Discussion in 'malware problems & news' started by Marianna, May 3, 2004.

Thread Status:
Not open for further replies.
  1. Marianna
    Offline

    Marianna Spyware Fighter

    Virus type: Worm

    Destructive: No

    Description:



    This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the infected system. This vulnerability is discussed in detail in the following pages:

    MS04-011_MICROSOFT_WINDOWS
    Microsoft Security Bulletin MS04-011
    To propagate, it scans for vulnerable systems at TCP port 445 and sends a specially-crafted packet to produce a buffer overflow on LSASS.EXE. The packet runs a remote shell that opens port 9995. This worm commands the remote shell to download its copy from the original infected source via port 5554 using FTP.

    More: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.D
Thread Status:
Not open for further replies.