Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sasser.A


Destructivity LOW LOW
Payload Sets up backdoors on infected computers; may cause system instability.
Detection files published 30 Apr 2004 03:00:00
Description created 01 May 2004 01:40:00
Description updated 04 May 2004 10:40:00
Malware type WORM
Spreading mechanism NETWORK
Summary None



This worm spreads by connecting to other computers and attempt to use the security vulnerability detailed in the MS 04-011 security bulletin . The attack will come in on port 445/tcp, and will, if the computer is vulnerable, cause a buffer overrun in LSASS.EXE. This again gives the worm the opportunity to set up a remote shell on the attacked computer. Using this remote shell, the attacked computer is now instructed to fetch the worm file from the infected computer via FTP, and execute it.
When executed, the worm copies itself to the Windows directory using the name AVSERVE.EXE. A number of other files may also be created as part of the infection process.
Registry keys created by the worm:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun avserve.exe = %WINDIR%avserve.exe

Payload Details

As part of the infection process, the worm sets up backdoors on infected computers.
- a remote shell on port 9996/tcp
- a FTP server on port 5554/tcp
These can be used by an attacker to gain access to infected computers.
Attacked systems may also be unstable because of the overflow attack agains LSASS.EXE.





Last Updated: 12 Nov 2015 11:06:10