My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Sasser.{A-C}

MEDIUM
MEDIUM
15 KB
(WORM_SASSER, Win32.HLLW.Jobaka)

Symptoms

  • Presence of the files: (%WINDIR% is the Windows directory)
    %WINDIR%\avserve.exe -- Win32.Worm.Sasser.A
    %WINDIR%\avserve2.exe -- Win32.Worm.Sasser.B,C
  • Presence of the registry keys:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    with the value:
    "avserve.exe" = "%WINDIR%\avserve.exe" -- Win32.Worm.Sasser.A
    "avserve2.exe" = "%WINDIR%\avserve2.exe" -- Win32.Worm.Sasser.B,C

Removal instructions:

First you must install the security patch for the exploited vulnerability.
Go to Microsoft's Security Information page for MS04-011:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Download and install the update for your Windows version and reboot.

After the update is installed, let BitDefender delete all files found infected with this worm.

Analyzed By

Mihai Neagu BitDefender Virus Researcher

Technical Description:

The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011.

It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spawned on port 9996.

Then it opens a FTP server on the remote computer that listens on port 5554, sends and executes itself on the remote machine.

Once executed, the worm drops a file in the Windows directory (%WINDIR%):

  • %WINDIR%\avserve.exe -- Win32.Worm.Sasser.A
    %WINDIR%\avserve2.exe -- Win32.Worm.Sasser.B,C

and creates the registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with the value:
  • "avserve.exe" = "%WINDIR%\avserve.exe" -- Win32.Worm.Sasser.A
    "avserve2.exe" = "%WINDIR%\avserve2.exe" -- Win32.Worm.Sasser.B,C