The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011. It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spawned on port 9996. Then it opens a FTP server on the remote computer that listens on port 5554, sends and executes itself on the remote machine. Once executed, the worm drops a file in the Windows directory (%WINDIR%):
%WINDIR%\avserve.exe -- Win32.Worm.Sasser.A %WINDIR%\avserve2.exe -- Win32.Worm.Sasser.B,C
and creates the registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value:
"avserve.exe" = "%WINDIR%\avserve.exe" -- Win32.Worm.Sasser.A "avserve2.exe" = "%WINDIR%\avserve2.exe" -- Win32.Worm.Sasser.B,C
Virus Information
Prevalence:
Medium
Name: Win32.Worm.Sasser.{A-C}
Type:
How it spreads: The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011.It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spa
Affected operating:
Aliases: WORM_SASSER, Win32.HLLW.Jobaka
Date of surface: Apr 30 2004 12:00AM
MediumName: Win32.Worm.Sasser.{A-C}
Type:
How it spreads: The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011.It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spa
Affected operating:
Aliases: WORM_SASSER, Win32.HLLW.Jobaka
Date of surface: Apr 30 2004 12:00AM
For disinfection, download and run our free eScan Anti-Virus Toolkit. The utility checks your computer, system registry, and running processes for malicious programs, illegal dialers, and sniffer tools. Note: This tool does not protect your PC in real time.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.
You can download the eScan Anti-Virus Toolkit utility from the MicroWorld Web site.
Alternatively, you can install MicroWorld’s Internet Security Suite which has real time detection capabilities.
You can download and install the product from our eScan download page.
