| PreviousLovSan - Blaster | The Sasser worm | NextRemoval tools |
Appearing in May 2004, the Sasser virus (also known as the W32/Sasser.worm, W32.Sasser.Worm, Worm.Win32.Sasser.a, Worm.Win32.Sasser.b or Win32.Sasser) is a virus which exploits a security hole in the LSASS (Local Security Authority Subsystem Service, which corresponds to the executable file lsass.exe) in Windows. The appearance of the first virus to exploit the security hole in Windows' LSASS service occurred barely two weeks after the hole was publicised and the first patches for it were released. Windows NT 4.0, 2000, XP and (to a lesser degree) Windows Server 2003 are all affected.
The Sasser virus is programmed to launch 128 processes (1024 for the SasserC variant) which scan a range of random IP addresses looking for systems vulnerable to the LSASS hole on port 445/TCP.
The virus installs an FTP server on port 5554 so that it can be downloaded by other infected computers.
Then, when a vulnerable machine is found, the worm opens a remote shell on the machine (on TCP port 9996), and makes the remote machine download a copy of the worm (named avserve.exe or avserve2.exe for the Sasser.B variant) in the Windows directory.
Once the file has been downloaded, it creates a file named win.log (or win2.log for the Sasser.B variant) in the c:\ directory in order to record how many machines it was able to infect. Then it creates entries in the registry so that it will restart every time the computer is rebooted:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exeor
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
avserve.exe -> C:\%WINDIR%\avserve.exe
The virus runs "AbortSystemShutdown" to prevent the user or other viruses from rebooting (and from deactivating it).
Exploiting the LSASS vulnerability causes some malfunctions on affected computers, related to shutting down the LSASS service (process lsass.exe). Vulnerable systems have the following symptoms:
System shutdown initiated by Authority/System
The system process: C:\WINDOWS\system32\lsass.exe
terminated unexpectedly with status code 128.
lsass.exe - application error
To eradicate the Sasser worm, the best method involves first protecting the system by activating the firewall. In Windows XP, go to
Start menu > Settings > Control panel > Network connectionsThen right-click on the Internet connection, and from there click on Properties. Select the tab "Advanced settings", then check the box "Protect my computer and the network by limiting or preventing access to this computer from the Internet," and apply it by clicking OK.
You should then update the system, either by using Windows Update or by downloading and installing whichever patch is right for your operating system:
Finally, you can clean up the system by using the virus removal kit:
Download the virus removal kit
What's more, since the virus spreads using Microsoft Windows networking, it is strongly recommended to install a personal firewall on your machines which are connected to the Internet, and also to filter ports TCP/445, TCP/5554 and TCP/9996.
"net-worm.win32.kido.ir" removal fix Autorun.inf worm removal solution Can't connect with search engine worm Destroy lsas,blaster,keylog worm Download wwdc worm Email-worm.js.gigger italiano Free download anti virus conficker worm / win32 I-worm/generic.clj Kaspersky detected: intrusion.win.mssql.worm.helkern Lsas blaster keylogger worm windows removal Lsass.blaster.keylogger virus same as the sasser worm? Net-worm.win32.kido.ih Solution remove virus worm.generic.dit Task manager disabled by total security worm Worm keyboard "t" "y" Worm lsass.blaster.keylogger Worm world party pc free download Worm.generic.dit