W32/Sasser-A

Discussion in 'malware problems & news' started by Marianna, May 1, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    W32/Sasser.worm
    Type
    Win32 worm

    Description
    W32/Sasser-A is a network worm that spreads by exploiting the Microsoft LSASS vulnerability. Microsoft has issued a patch to secure against this vulnerability which can be downloaded from Microsoft Security Bulletin MS04-011.

    The worm copies itself to the Windows folder with the filename avserve.exe and sets the following registry key to auto-start on user logon:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe

    W32/Sasser-A attempts to connect out on port TCP/9996 and TCP/445 and exploit the LSASS vulnerability. An FTP script is then downloaded and executed which connects back on port 5554 to download a copy of the worm via FTP.

    http://www.sophos.com/virusinfo/analyses/w32sassera.html
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Advisory
    This is a Medium Threat Advisory for W32/Sasser.worm

    Justification
    W32/Sasser.worm has been deemed Medium due to prevalence

    Read About It
    Information about W32/Sasser.worm is located on VIL at:
    http://vil.nai.com/vil/content/v_125007.htm

    Detection
    W32/Sasser.worm was first discovered on 04/30/2004 and detection will be added to the 4355 dat files (Release Date: 05/01/2004). The EXTRA.DAT is available.

    If you suspect you have W32/Sasser.worm, please submit a sample to http://www.webimmune.net/
     
    Last edited: May 1, 2004
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Received this Virus Alert from Panda early this morning:

     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Microsoft has released a tool to help you remove the Sasser worm variants from
    your computer. If you are running Microsoft Windows 2000 Service Pack 2 (SP2) or
    later, or a 32-bit version of Microsoft Windows XP, you can use the Sasser Worm
    Removal Tool to remove Sasser.A and Sasser.B infections.

    The information in this article applies to:
    Microsoft Windows 2000 Advanced Server SP2
    Microsoft Windows 2000 Advanced Server SP3
    Microsoft Windows 2000 Advanced Server SP4
    Microsoft Windows 2000 Datacenter Server SP2
    Microsoft Windows 2000 Datacenter Server SP3
    Microsoft Windows 2000 Datacenter Server SP4
    Microsoft Windows 2000 Professional SP2
    Microsoft Windows 2000 Professional SP3
    Microsoft Windows 2000 Professional SP4
    Microsoft Windows 2000 Server SP2
    Microsoft Windows 2000 Server SP3
    Microsoft Windows 2000 Server SP4
    Microsoft Windows XP Home Edition
    Microsoft Windows XP Home Edition SP1
    Microsoft Windows XP Professional
    Microsoft Windows XP Professional SP1

    Complete info and download link at http://support.microsoft.com/?kbid=841720
     
Thread Status:
Not open for further replies.