is a network worm that spreads by exploiting the Microsoft LSASS vulnerability. It does not spread via e-mail.

There is a patch issued by Microsoft in April, which is able to close this LSASS vulnerability. It can be downloaded from Microsoft Web site (Security Bulletin MS04-011).

When activated, the worm copies itself to the Windows folder under the filename avserve.exe and sets the registry key to run itself on computer start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe

Win32:Sasser-A starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts. The worm attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg. 12345_up.exe).

The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP address of the infected host
25% have the same first and second octet as the IP address of the infected host.

The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result, the infected computer may be so slow as to be barely usable.

Please note: Applying the system patch mentioned above disables the functionality of virus infecting your computer. It is a very good practice to apply all Microsoft critical patches as soon as possible. The 'Windows Update' feature is a very good tool to do this automatically.

There are several variants of this worm, currently circulating in the wild.

To remove this virus, please use free avast! Virus Cleaner. To prevent repeated infection, it is necessary to apply the referred Microsoft patch!

avast! with VPS file dated on or after 1st May 2004 is able to detect this worm.

Refer: Avast

Copyright © 2004-2004 All rights reserved.
Valid HTML 4.01! Click here to validate current page. Best viewed with ANY browser! Valid CSS! Click here to validate current CSS.