Discussion in 'malware problems & news' started by Marianna, May 3, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    Virus type: Worm

    Destructive: No


    Note: This worm is covered by the Red alert on the SASSER family of worms (variants A, B, and C).

    This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the infected system. This vulnerability is discussed in detail in the following pages:

    Microsoft Security Bulletin MS04-011
    To propagate, it scans for vulnerable systems at TCP port 445 and sends a specially-crafted packet to produce a buffer overflow on LSASS.EXE. The packet runs a remote shell that opens port 9996. This worm commands the remote shell to download its copy from the original infected source via port 5554 using FTP.

    More: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.C
Thread Status:
Not open for further replies.