English
Log in
Search
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

HomeDescriptionsNet-Worm.Win32.Sasser.b

Net-Worm.Win32.Sasser.b

Detected May 01 2004 18:41 GMT
Released May 01 2004 18:41 GMT
Published May 11 2004 11:11 GMT

Technical Details

Sasser.b is an Internet worm that uses the MS Windows LSASS vulnerability described in Microsoft Security Bulletin MS04-011.

Microsoft released a patch for this vulnerability on April 13th 2004, while Sasser.a was first detected on April 30th 2004.

Sasser.b operates in a very similar manner to Lovesan, except that Lovesan exploited a vulnerability in the PRC DCOM service, not the LSASS service.

Sasser affects computers running Windows 2000, Windows XP, Windows Server 2003. Sasser functions on all other versions of Windows but is unable to infect them by attacking via the vulnerability.

Sasser is written in C/C++, using the Visual C compiler. The worm is about 15 KB in size and is packed using PECompact2.

Signs of Infection

  • a file named avserve.exe in the Windows directory.
  • an error message about LSASS service failure which usually also causes the system to reboot.

Differences between Sasser.a and Sasser.b

Sasser.b uses a different file name for the main component that is registered in the system registry autorun key: avserve2.exe instead of avserve.exe.

The unique identifier name is changed to Jobaka3 and Sasser.b also attempts to create a second identifier named JumpallsNlsTillt.

The number of propagation routines is increased from 128 to 1024 and the name of the log file is changed to win2.log



Print
Bookmark and Share
Share
Viruses and worms
Net-Worm

Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.

This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.


Other versions
Net-Worm.Win32.Sasser.a
Net-Worm.Win32.Sasser.c
Net-Worm.Win32.Sasser.d

Aliases

Net-Worm.Win32.Sasser.b (Kaspersky Lab) is also known as:

  • Worm.Win32.Sasser.b (Kaspersky Lab)
  • Virus: W32/Sasser.worm.b (McAfee)
  • Mal/HckPk-A (Sophos)
  • Worm.Sasser.C (ClamAV)
  • Heuristic.WinPE-Statistical (Panda)
  • Win32.HLLW.Jobaka (DrWeb)
  • GenPack:Win32.Worm.Sasser.B (BitDef7)
  • Win32:SdBot-gen44 [Trj] (AVAST)
  • Net-Worm.Win32.Sasser.B (Ikarus)
  • I-Worm/Sasser.H (AVG)
  • TR/Crypt.ULPM.Gen (AVIRA)
  • W32.Chir.B@mm (NAV)
  • W32/Smalltroj.NZUX (Norman)
  • Net-Worm.Win32.Sasser.b [AVP] (FSecure)

© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.

kaspersky.com

Products

eStore

Threats

Downloads

Support

Partners

About Us

Search

securelist.com

Threats

Analysis

Blog

Descriptions

Glossary

RSS feeds

Contacts

Search