Win32.Worm.Sasser.{A-C}

( WORM_SASSER, Win32.HLLW.Jobaka )

SYMPTOMS:

• Presence of the files: (%WINDIR% is the Windows directory)
  %WINDIR%\\avserve.exe -- Win32.Worm.Sasser.A
  %WINDIR%\\avserve2.exe -- Win32.Worm.Sasser.B,C
  
• Presence of the registry keys:
  HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
  with the value:
  \"avserve.exe\" = \"%WINDIR%\\avserve.exe\" -- Win32.Worm.Sasser.A
  \"avserve2.exe\" = \"%WINDIR%\\avserve2.exe\" -- Win32.Worm.Sasser.B,C

TECHNICAL DESCRIPTION:

The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011.

It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spawned on port 9996.

Then it opens a FTP server on the remote computer that listens on port 5554, sends and executes itself on the remote machine.

Once executed, the worm drops a file in the Windows directory (%WINDIR%):

• %WINDIR%\\avserve.exe -- Win32.Worm.Sasser.A
  %WINDIR%\\avserve2.exe -- Win32.Worm.Sasser.B,C

and creates the registry key:
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
with the value:

• \"avserve.exe\" = \"%WINDIR%\\avserve.exe\" -- Win32.Worm.Sasser.A
  \"avserve2.exe\" = \"%WINDIR%\\avserve2.exe\" -- Win32.Worm.Sasser.B,C

Removal instructions:

First you must install the security patch for the exploited vulnerability.
Go to Microsoft\'s Security Information page for MS04-011:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Download and install the update for your Windows version and reboot.

After the update is installed, let BitDefender delete all files found infected with this worm.

ANALYZED BY:

Mihai NeaguBitDefender Virus Researcher