 
Win32:SasserWin32:Sasser is a network worm that spreads by exploiting the Microsoft LSASS vulnerability. It does not spread via e-mail. There is a patch issued by Microsoft in April, which is able to close this LSASS vulnerability. It can be downloaded from Microsoft Web site (Security Bulletin MS04-011). When activated, the worm copies itself to the Windows folder under the filename avserve.exe and sets the registry key to run itself on computer start:
Win32:Sasser-A starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts. The worm attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg. 12345_up.exe). The IP addresses generated by the worm are distributed as follows:
The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result, the infected computer may be so slow as to be barely usable. Please note: Applying the system patch mentioned above disables the functionality of virus infecting your computer. It is a very good practice to apply all Microsoft critical patches as soon as possible. The 'Windows Update' feature is a very good tool to do this automatically. There are several variants of this worm, currently circulating in the wild. Removal: avast! with VPS file dated on or after 1st May 2004 is able to detect this worm. Refer: Avast |
|
|
|