Internet threat level: 1
Home→Descriptions→Net-Worm.Win32.Sasser.d
Net-Worm.Win32.Sasser.d
| Detected | May 13 2004 00:43 GMT |
| Released | May 13 2004 00:43 GMT |
| Published | Apr 12 2005 12:01 GMT |
Technical Details
This network worm spreads via the Internet by exploiting a vulnerability in the Windows LSASS service. You can find more information about the vulnerability in Microsoft Security Bulletin MS04-011
. Sasser works in a similar way to Lovesan, although Lovesan exploited a vulnerability in the RPC DCOM service.The worm infects computers running Windows 2000, Windows XP and Windows Server 2003. It can infect computers running other versions of Windows, but is unable to penetrate these systems via the LSASS vulnerability.
The worm is written in C/C++ in a Visual C++ environment. It is approximately 16KB in size, packed using PECompact2.
Signs of infection
- A file named "lsasss.exe" in the Windows directory
- An error message that the LSASS service is failing, followed by the system rebooting
Sasser.d differs from Sasser.c in the following ways:
The file which Sasser.d creates is named "lsasss.exe", rather than "skynetave.exe" and the registry value created for this file differs accordingly.
The worm deletes entries from the registry which have been created by versions of Email-worm.Win32.Bagle and Trojan-Proxy.Win32.Mitglieder.
The mutex name is also changed to "SkynetNotice"
Once the worm has been running for two hours, it will cause the following message to be displayed on the screen:
2. It can be that dangerous computer viruses similar
the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch
from the www.microsoft.com website
4. This is an message from the SkyNet Team for
malicious activity prevention
When attacking a remote machine, Sasser.d launches an FTP service on TCP port 1023 and a remote shell on TCP port 1022.
Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.
This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.
Net-Worm.
- Worm.
Win32. Sasser. d (Kaspersky Lab) - Virus:
W32/Sasser. worm. e (McAfee) - Mal/Generic-L (Sophos)
- Worm.
Sasser. H (ClamAV) - W32/Sasser.
E. worm (Panda) - Worm:
Win32/Sasser. dam (MS(OneCare)) - Win32/Sasser.
E worm (Nod32) - Worm.
Generic. 70555 (BitDef7) - Win32:
Sasser-J [Wrm] (AVAST) - Worm.
Win32. Sasser (Ikarus) - W32.
Spybot. Worm (NAV) - Sasser.
E (Norman) - Worm.
Sasser. u (Rising) - Net-Worm.
Win32. Sasser. d [AVP] (FSecure) - TROJ_BLASTER.
C (TrendMicro)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.