Operating System » MS Windows » Windows - Virus Protection » Alert: Computer Virus Outbreaks » Sasser Computer Virus

no_email_needed @ sasser.worm

It attempts to exploit the LSASS vulnerability. Sasser worm spreads by scanning randomly chosen IP addressed for vulnerable system, which can attack Windows 2000, XP and Server 2003 systems. It creates a FTP server on your computer on TCP port 5554 and uses the server to spread itself to other computers. It also degrades your computer’s performance.

Quick Fix: If you suspect that your computer has the "Sasser", download the following 2 files and run it on your computer. It may be a good ideal to put your computer in the "Safe Mode" before running them.

So what does Sasser do?

Microsoft Windows LSASS Buffer Overrun Vulnerability/W32.Sasser.B.Worm Background The Microsoft Windows LSASS Buffer Overrun Vulnerability was originally announced on April 13, 2004 in Microsoft Security Bulletin MS04-011. A buffer overflow vulnerability exists in the LSASS service that could allow remote code execution on an affected system. LSASS provides an interface for managing local security, domain authentication, and Active Directory processes.

If the system was compromised, an attacker could gain complete control of the machine and perform actions on the affected machine similar to a user or administrator, such as erase files, steal information, etc. Exploitation may occur over TCP ports 135, 139, 445, 593 and ports greater than 1024, as well as UDP ports 135, 137, 138 and 445.

Here is how the Sasser worm works:

  • Port 445: machines already running the Sasser code probe random or semi-random IP addresses over this port to seek out vulnerable machines (unpatched Windows 2000, 2003 Server, and XP hosts). If a target is found, packets sent over Port 445 carry the LSASS exploit (outlined in Microsoft’s security bulletin 04-011) which then opens Port 9996;
  • Port 9996: if the exploit has worked, this port provides access to a command shell, in which the worm executes code to open an FTP session using Port 5554;
  • Port 5554: the FTP session opened on this port carries the bulk of the worm’s EXE.

There is additional malicious activity in the form of variants of a worm known as "Agobot" (or "Agrobot"), which similarly seeks to exploit systems not protected by a firewall. Once a target machine is infected, it starts 128 propagation threads.

What does Sasser do to the computer:

The most noticable impact on an end user is probably to have machines crashing and rebooting because of the disruption to the LSASS process. It doesn’t render the network unavailable; it doesn’t delete files on the hard drive; nor does it initiate a mass-mailing attack.

Removal of the Sasser Worm:

Microsoft posted their Sasser (A-F) Worm Removal Tool (KB841720)

Sasser Worm in the news:

The Sasser worm dominated virus charts for May 2004, accounting for more than half the inbox infections reported during the month. June 2004, ZDNet, Australia

Five more persons are under investigation in Germany on suspicion of releasing the predecessor to the Sasser computer virus onto the Internet. Sven J. was remanded in custody along with members of another group of computer hackers - May 2004, Frankfurt, Germany.

The authors of Sasser must also be treated as particularly dangerous criminals, as evidence suggests that they also created the Netsky worms, and who knows how many other viruses, but letting viruses loose is a crime that should be investigated. It was said that they was behind all 28 variations of the Netsky virus that continues to be sent out in millions of infected emails each month.- May 2004, GLENDALE, Califonia, USA.

SASSER virus reappears despite arrest! The appearance of the Sasser.E worm comes just after the announcement of the arrest of the alleged creator of the virus. Sven J. (alleged creator of SASSER) must have brought his notebook computer with integrated GPRS modem along with him to his prison cell! May 2004, Frankfurt, Germany.

SASSER Creator (Sven J.) Napped - Police and prosecutors on Friday searched his parents’ house in the northern town of Waffensen, (a small town in the Lower Saxony region in Germany). CIA and FBI also were involved in the hunt. - May 2004, Berlin, Germany.

SASSER virus worms its way into St. Luke's Hospital. This doctors in the A&E (ER) Department were ask to heal them - May 2004, Houston, TX, USA.

SASSER web virus affects millions of Windows PC users around the world have been infected by the Sasser virus since it appeared on 1 May - May 2004, London, England, UK.

The pesky SASSER computer worm snarled hundreds of thousands of machines worldwide Monday in the latest virus-like outbreak to take advantage of a known flaw - May 2004, Sherwood, OR, USA.

SASSER VIRUS and hackers play havoc with Taiwan’s computer systems. A new computer virus named "sasser" has disrupted 1,600 of the Chunghwa Post Co’s computers, and paralyzed postal account transfer operations on the first of May (Labour Day), Labor Day is a national holiday here is Taipei - May 2004, Taipei, Taiwan, China.

BUSINESS and banks hit hard by the SASSER virus. ALMOST 80 Westpac bank branches and hundreds of other Australian businesses fell victim to the fast-spreading Sasser computer virus yesterday amid warnings - May 2004, ACT, Australia.

UK COASTGUARD stations fall victim to computer virus. The Sasser Virus hit computers at Clyde Coastguard around 10am this morning, knocking out e-mail and more importantly the coastguard’s electronic mapping system - May 2004, Glasgow, Scotland, UK.

NEW computer virus strikes hard. The SASSER computer worm snarled hundreds of thousands of machines worldwide Monday including the computer lab at Utica College - May 2004, Utica, NY, USA.

NO immunity to virus for this one - STAFF at the region’s 15 Westpac branches have reverted back to computer transactions in the wake of the bank’s nation-wide Sasser virus infection - May 2004, Tamworth, New South Wales, Australia.

SMALL businesses left vulnerable to virus attacks, as the new Sasser virus does the rounds, research shows almost two-thirds of the country’s small businesses have been the victim of a malicious online attack - May 2004, Auckland, New Zealand.

Alt Keywords: WORM_SASSER.B [Trend], W32/Sasser.worm.b [McAfee], Worm.Win32.Sasser.b [Kaspersky], W32/Sasser-B [Sophos], Win32.Sasser.B [Computer Associates], Sasser.B [F-Secure], W32/Sasser.B.worm [Panda], Win32/Sasser.B.worm [RAV], W32/Sasser.B [F-Prot].

Related Sasser News:


Updated On: 15.02.19

Tagged By: Virus Removal Tool from Microsoft, Network Worms, MICROSOFT’S Virus/Worm Writer Bounty Pays Off?, Search: lsass exe, Port Probe TCP Port : 5554.

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.