Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Sasser.D

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Sets up backdoors on infected computers; may cause increased network traffic, may cause system instability.
Detection files published 02 May 2004 03:00:00
Description created 03 May 2004 03:14:00
Description updated 03 May 2004 03:14:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

W32/Sasser.D

Spreading

This worm spreads by connecting to other computers and attempt to use the security vulnerability detailed in the MS 04-011 security bulletin . It attempts to ping the host first, and if it the ping reveals a machine to be present an attack is attempted. The attack will come in on port 445/tcp, and will, if the computer is vulnerable, cause a buffer overrun in LSASS.EXE. This again gives the worm the opportunity to set up a remote shell on the attacked computer. Using this remote shell, the attacked computer is now instructed to fetch the worm file from the infected computer via FTP, and execute it.When executed, the worm copies itself to the Windows directory using the name SKYNETAVE.EXE. A number of other files may also be created as part of the infection process.Registry keys created by the worm:HKLMSoftwareMicrosoftWindowsCurrentVersionRun skynetave.exe = %WINDIR%skynetave.exeDue to bugs, the worm will not spread properly under Win2000.

Payload Details

As part of the infection process, the worm sets up backdoors on infected computers.
- a remote shell on port 9995/tcp
- a FTP server on port 5554/tcp
These can be used by an attacker to gain access to infected computers.
Attacked systems may also be unstable because of the overflow attack agains LSASS.EXE.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:14