Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Sasser.A

Win32/Sasser.A is an internet worm, that exploits a vulnerability in Microsoft Windows systems. Size of its file is approximately 15 kB.

Note: in the following section instead of the name of the Windows system directory (that can differ from version to version) the symbolic name %windir% is used.

Upon execution the worm copies itself to the %windir% folder as "avserve.exe". Then it sets the following Registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avserve.exe.
The entry contains a path to the executable file of the worm. It ensures that Win32/Sasser will be run every time the operating system starts. The worm creates a mutex object called "Jobaka3l".
If it previously existed, the program terminates. This way only one instance of the worm can be active in the system.

A simple FTP server is launched on TCP port 5554. It is used for further spreading. It only provides access to Win32/Sasser.A executable.

The worm then scans for vulnerable machines running Microsoft Windows. It tries to exploit the CAN-2003-0553 vulnerability by connecting to port 445. If it succeeds, it causes the remote machine to download the worm by FTP. It is saved in the %windir% folder as xxxxx_up.exe, where xxxxx is a random number.

Win32/Sasser.B
Win32/Sasser.C

Win32/Sasser.B and Win32/Sasser.C are minor modifications of the A variant. The algorithm that scans for vulnerable machines attempts to spread more massively. The filename changed to avserve2.exe. Some other strings are different too.

Information about the vulnerability and security patches can be found on the following address: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.

To clean infected computer, the following steps need to be carried out:

  • If you don''t have the above mentioned patch installed yet, please install it from:
  • http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
  • Make sure the latest version of NOD32 database is installed
  • Go to Start > Programs > Eset > NOD32
  • In the "Targets" Tab select the all available hard-disks by double clicking appropriate icon
  • Click the "Clean" button
  • When the Win32/Sasser worm is found and an action is offered, click "Delete"
  • Restart the system

NOTE:
Under Windows XP operating system it can happen that the infected files are restoring themselves. This problem can occur with various viruses and it is described here.

The detection of Win32/Sasser.A is added since version 1.745 (Version A), 1.746 (B), 1.747 (C).