is a network worm that spreads by exploiting the Microsoft LSASS vulnerability. It does not spread via e-mail.
There is a patch issued by Microsoft in April, which is able to close this LSASS vulnerability. It can be downloaded from Microsoft Web site (Security Bulletin MS04-011).
When activated, the worm copies itself to the Windows folder under the filename avserve.exe and sets the registry key to run itself on computer start:
Win32:Sasser-A starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts. The worm attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg. 12345_up.exe).
The IP addresses generated by the worm are distributed as follows:
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result, the infected computer may be so slow as to be barely usable.
Please note: Applying the system patch mentioned above disables the functionality of virus infecting your computer. It is a very good practice to apply all Microsoft critical patches as soon as possible. The 'Windows Update' feature is a very good tool to do this automatically.
There are several variants of this worm, currently circulating in the wild.
avast! with VPS file dated on or after 1st May 2004 is able to detect this worm.Refer: Avast