Symptoms
- Presence of the files: (%WINDIR% is the Windows directory)
%WINDIR%\avserve.exe -- Win32.Worm.Sasser.A
%WINDIR%\avserve2.exe -- Win32.Worm.Sasser.B,C
- Presence of the registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with the value:
"avserve.exe" = "%WINDIR%\avserve.exe" -- Win32.Worm.Sasser.A
"avserve2.exe" = "%WINDIR%\avserve2.exe" -- Win32.Worm.Sasser.B,C
Removal instructions:
First you must install the security patch for the exploited vulnerability.
Go to Microsoft's Security Information page for MS04-011:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Download and install the update for your Windows version and reboot.
After the update is installed, let BitDefender delete all files found infected with this worm.
Analyzed By
Mihai Neagu BitDefender Virus Researcher
Technical Description:
The worm installs by exploiting the LSASS vulnerability described in the
Microsoft Security Bulletin MS04-011.
It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spawned on port 9996.
Then it opens a FTP server on the remote computer that listens on port 5554, sends and executes itself on the remote machine.
Once executed, the worm drops a file in the Windows directory (%WINDIR%):
- %WINDIR%\avserve.exe -- Win32.Worm.Sasser.A
%WINDIR%\avserve2.exe -- Win32.Worm.Sasser.B,C
and creates the registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with the value:
- "avserve.exe" = "%WINDIR%\avserve.exe" -- Win32.Worm.Sasser.A
"avserve2.exe" = "%WINDIR%\avserve2.exe" -- Win32.Worm.Sasser.B,C
SHARE
THIS ON