The Sasser Worms

• Sasser.A
• Sasser.B
• Sasser.C
• Sasser.D
• Sasser.E
• Sasser.F
• More Information

THE SASSER.A WORM

The Sasser (W32.Sasser.A, W32/Sasser.worm.a, WORM_SASSER.A, Worm.Win32.Sasser.a, W32/Sasser-A, Win32.Sasser.A, W32/Sasser.A.worm) worm is a Windows-targeting worm that can spread from machine-to-machine without user intervention. This makes it particularly dangerous. It exploits a buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS) of Windows XP and 2000 systems that allows remote attackers to execute arbitrary code on the vulnerable system with elevated privileges. It spreads by scanning randomly selected IP addresses for vulnerable systems and then exploiting this vulnerability.

Although Sasser.A cannot infect Windows 95/98/Me computers, it can run on those machines and use them to infect the vulnerable systems to which they can connect. This worm ties up these systems so that programs, including the Sasser removal tool, cannot properly run.

How Sasser.A Works

According to Symantec, Sasser.A first creates a mutex [1] named Jobaka3l. Then it copies itself as %Windir%\avserve.exe to C:\%systemroot%, the Windows installation folder. It adds the value:

"avserve.exe"="%Windir%\avserve.exe"

to the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when the infected system starts.

It uses the AbortSystemShutdown API to thwart attempts to shut down or restart the computer. It then creates an FTP server on TCP port 5554. It uses this server to spread to other hosts by choosing random IP addresses, scanning for vulnerable systems, and attempting to connect to them on TCP port 445. Once the worm identifies a vulnerable machine, it runs a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This script instructs the targeted machine to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554.

How to Prevent Infection

1. Download and install the latest cumulativepatch for your version of Windows operating system from http://www.lbl.gov/ITSD/CIS/Software/
2. Scan your computer for viruses daily. Click here for instructions.
3. Update your virus software daily. Click here for instructions.
4. On home systems, consider using a firewall to block all incoming traffic from TCP ports 445, 5554 and 9996.

How to Recover from a Sasser Infection

1. Use the Symantec removal tool. Click here to download.
2. See "Disabling System Restore," on the McAfee site for additional caveats for Windows Me/XP systems.
3. Download and install the latest cumulative patch for your version of Windows operating system from http://www.lbl.gov/ITSD/CIS/Software/

<<Back to Virus Archive home

____________

SASSER.B

Systems Affected: Windows 2000, Windows XP

W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. This worm spreads by scanning randomly selected IP addresses for vulnerable systems.

How Sasser.B Differs from Sasser.A

According to Symantec, Sesser B differs from the original Sesser Worm as follows:

• Uses a different mutex [1]: Jobaka3.
• Uses a different file name: avserve2.exe.
• Has a different MD5.
• Creates a different value in the registry: "avserve2.exe.
  

Although the W32.Sasser.Worm.B cannot infect Windows 95/98/Me computers, it can run on those machines and use them to infect the vulnerable systems to which they can connect. The worm ties up these systems so that programs cannot properly run, including the removal tool. (On Windows 95/98/Me computers, run the removal tool in Safe mode.)

AKA: WORM_SASSER.B, W32/Sasser.worm.b, Worm.Win32.Sasser.b, W32/Sasser-B, Win32.Sasser.B, Sasser.B, W32/Sasser.B.worm, Win32/Sasser.B.worm, W32/Sasser.B

<<Back to Virus Archive home

____________

SASSER C

Systems Affected: Windows 2000, Windows XP

W32.Sasser.C.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011 and spreads by scanning randomly selected IP addresses for vulnerable systems.

How Sasser.C Differs from Sasser.A

According to Symantec, Sesser C differs from the original Sesser Worm as follows:

• Uses a different mutex [1]: JumpallsNlsTillt
• Launches 1024 threads (instead of 128).
• Uses a different file name: avserve2.exe.
• Has a different MD5.
• Creates a different value in the registry: "avserve2.exe."

AKA: W32/Sasser-C, Worm.Win32.Sasser.c, W32/Sasser.worm.c , WORM_SASSER.C, Win32.Sasser.C

Although the W32.Sasser.Worm.C cannot infect Windows 95/98/Me computers, it can run on those machines and use them to infect the vulnerable systems to which they can connect. The worm ties up these systems so that programs cannot properly run, including the removal tool. (On Windows 95/98/Me computers, run the removal tool in Safe mode.)

<<Back to Virus Archive home

____________

SASSER.D

System Affected: Windows XP

The W32.Sasser.D worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems.

How Sasser.D Differs from Sasser.A

According to Symantec, Sesser D differs from the original Sesser Worm as follows:

• Uses a different mutex [1]: SkynetSasserVersionWithPingFast.
• Uses a different file name: skynetave.exe.
• Has a different MD5.
• Creates a different value in the registry: "skynetave.exe."
• Uses a different port for the remote shell: 9995/tcp.
• Only contaminates Windows XP systems
• Will exit before running any code with an error on some Windows 2000 systems.
• Has an updated routine for finding vulnerable computers. W32.Sasser.D sends an ICMP echo request before attempting to make a connection, which may be what prevents from executing on Windows 2000 systems.

AKA: W32/Sasser-D, WORM_SASSER.D, W32/Sasser.worm.d, Win32.Sasser.D, Worm.Win32.Sasser.d

Even though W32.Sasser.D only executes on Windows XP systems, it can exploit a vulnerable (unpatched) Windows 2000 machine remotely and copy itself to that machine. However, it will exit before running any code and will produce the following error:

"The procedure entry point IcmpSendEcho could not be located in the dynamic link library iphlpapi.dll."

<<Back to Virus Archive home

____________

SASSER.E

Systems Affected: Windows 2000, Windows XP

W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly selected IP addresses for vulnerable systems.

How Sasser.E Differs from Sasser.A

According to Symantec, Sesser E differs from the original Sesser Worm as follows:

• Uses a different mutex [1]: SkynetNotice.
• Uses a different file name: lsasss.exe.
• Creates a different value in the registry: "lsasss.exe"
• Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
• After 2 hours of running it displays a message.
  1. Your computer is affected by the MS04-011 vulnerability
  2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
  3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website
  4. This is a message from the SkyNet Team for malicious activity prevention
• It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
• The name of the file retrieved from the FTP server is followed by _update.exe.
• The worm logs data into the file C:\ftplog.txt.
  

Although the W32.Sasser.Worm.E cannot infect Windows 95/98/Me computers, it can run on those machines and use them to infect the vulnerable systems to which they can connect. The worm ties up these systems so that programs cannot properly run, including the removal tool. (On Windows 95/98/Me computers, run the removal tool in Safe mode.)

Click here to download Symantec's removal tool.

<<Back to Virus Archive home

____________

SASSER.F

The W32.Sasser.F.Worm variant attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems.

Systems Affected: Windows 2000, Windows XP

How Sasser.F Differs from Sasser.A

According to Symantec, Sesser F differs from the original Sesser Worm as follows:

• Uses a different mutex [1]: billgate.
• Uses a different file name: napatch.exe.
• Creates a different value in the registry: "napatch.exe."

Although the W32.Sasser.Worm.F cannot infect Windows 95/98/Me computers, it can run on those machines and use them to infect the vulnerable systems to which they can connect. The worm ties up these systems so that programs cannot properly run, including the removal tool. (On Windows 95/98/Me computers, run the removal tool in Safe mode.)

Click here to download Symantec's removal tool.

<<Back to Virus Archive home

____________

MORE INFORMATION

• Microsoft Site: What You Should Know about the Sasser Worm and Its Variants
• Symantec Removal Tool
• Symantec Info about Sesser
• Microsoft Security Bulletin MS04-011
• MacAfee Info on Sasser

____________

Note

1. A mutex is a regulating mechanism that allows only a single copy of a worm or virus to run on a system at any time.