WORM_SASSER.C

Discussion in 'malware problems & news' started by Marianna, May 3, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus type: Worm

    Destructive: No

    Description:



    Note: This worm is covered by the Red alert on the SASSER family of worms (variants A, B, and C).

    This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the infected system. This vulnerability is discussed in detail in the following pages:

    MS04-011_MICROSOFT_WINDOWS
    Microsoft Security Bulletin MS04-011
    To propagate, it scans for vulnerable systems at TCP port 445 and sends a specially-crafted packet to produce a buffer overflow on LSASS.EXE. The packet runs a remote shell that opens port 9996. This worm commands the remote shell to download its copy from the original infected source via port 5554 using FTP.

    More: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.C
     
    Marianna, May 3, 2004
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...