Flux rss
Reviews

The Sasser worm

Introduction to the Sasser virus

Appearing in May 2004, the Sasser virus (also known as the W32/Sasser.worm, W32.Sasser.Worm, Worm.Win32.Sasser.a, Worm.Win32.Sasser.b or Win32.Sasser) is a virus which exploits a security hole in the LSASS (Local Security Authority Subsystem Service, which corresponds to the executable file lsass.exe) in Windows. The appearance of the first virus to exploit the security hole in Windows' LSASS service occurred barely two weeks after the hole was publicised and the first patches for it were released. Windows NT 4.0, 2000, XP and (to a lesser degree) Windows Server 2003 are all affected.

What the virus does

The Sasser virus is programmed to launch 128 processes (1024 for the SasserC variant) which scan a range of random IP addresses looking for systems vulnerable to the LSASS hole on port 445/TCP.

The virus installs an FTP server on port 5554 so that it can be downloaded by other infected computers.

Then, when a vulnerable machine is found, the worm opens a remote shell on the machine (on TCP port 9996), and makes the remote machine download a copy of the worm (named avserve.exe or avserve2.exe for the Sasser.B variant) in the Windows directory.

Once the file has been downloaded, it creates a file named win.log (or win2.log for the Sasser.B variant) in the c:\ directory in order to record how many machines it was able to infect. Then it creates entries in the registry so that it will restart every time the computer is rebooted: 

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
    or 
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    		   avserve.exe -> C:\%WINDIR%\avserve.exe

The virus runs "AbortSystemShutdown" to prevent the user or other viruses from rebooting (and from deactivating it).

Symptoms of infection

Exploiting the LSASS vulnerability causes some malfunctions on affected computers, related to shutting down the LSASS service (process lsass.exe). Vulnerable systems have the following symptoms:

  • Unwanted restarts, with the system displaying the message: 
    System shutdown initiated by Authority/System
    The system process: C:\WINDOWS\system32\lsass.exe
    terminated unexpectedly with status code 128.
  • Network traffic on TCP ports 445, 5554 and 9996,
  • Sudden shutdown of 'LSASS.EXE' with an error message saying: 
    lsass.exe - application error

Eradicating the virus

To eradicate the Sasser worm, the best method involves first protecting the system by activating the firewall. In Windows XP, go to 

Start menu > Settings > Control panel > Network connections
Then right-click on the Internet connection, and from there click on Properties. Select the tab "Advanced settings", then check the box "Protect my computer and the network by limiting or preventing access to this computer from the Internet," and apply it by clicking OK.

You should then update the system, either by using Windows Update or by downloading and installing whichever patch is right for your operating system:

Finally, you can clean up the system by using the virus removal kit:
Download the virus removal kit

What's more, since the virus spreads using Microsoft Windows networking, it is strongly recommended to install a personal firewall on your machines which are connected to the Internet, and also to filter ports TCP/445, TCP/5554 and TCP/9996.

More information about the virus



Last update on Thursday October 16, 2008 02:43:16 PM.
This document entitled « The Sasser worm » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.

Results for The Sasser worm

Processes - isass - isass.exe The process isass.exe (isass) may indicate the presence of the Sasser worm (W32.Sasser.Worm ou Win32/Sasser). Here is a list of tips to help you disinfect your machine and learn about the mechanisms of viruses, worms, Trojan horses and spyware: ... en.kioskea.net/processus/isass-exe.php3
Processes - skynetave - skynetave.exe The process skynetave.exe (skynetave.exe) may indicate the presence of the Sasser worm (W32.Sasser.Worm or Win32/Sasser). Here is a list of tips to help you disinfect your machine and learn about the mechanisms of viruses, worms, Trojan horses and... en.kioskea.net/processus/skynetave-exe.php3
My pc restart after connectinc usb fladh disk Hello, mu laptob keeps restart after one minuet notice when i coneect any usb falsh disk to it i doubt it's the worm 32 w blaster so i installed sasser worm remover but it didn't work and i just cant do formating these days so i need a... en.kioskea.net/forum/affich-38299-my-pc-restart-after-connectinc-usb-fladh-disk

Results for The Sasser worm

Download Windows XP SP2Download Windows XP SP2 Windows XP SP2 has been update to provide you with better infection protection such as worms, viruses and Trojans. It is available through the link http://www.microsoft.com/... en.kioskea.net/faq/sujet-512-download-windows-xp-sp2
Choose the best AntivirusChoose the right Antivirus What is an Antivirus? How to know if your computer is infected? BitDefender Kaspersky ESET NOD32 AVG Anti-Virus What is an Antivirus? An antivirus is a computer program designed to search, disable and... en.kioskea.net/faq/sujet-193-choose-the-best-antivirus
Getting rid of Vundo TrojanGetting rid of Vundo Trojan What is a Vundo Trojan? How to remove a Vundo Trojan Manually Step 1: Locate the Trojan Step 2: Use Registry Editor to eliminate Registry Values Step 3: Using Command Prompt for Vundo unregistration Download... en.kioskea.net/faq/sujet-259-getting-rid-of-vundo-trojan
More answers

Results for The Sasser worm

Worm/autorun.inf on partitioned external hardHello, I have the worm/autorun.inf on my 4 partitioned external hard drive as well as computer. Can someone advise me how to remove it please en.kioskea.net/forum/affich-28700-worm-autorun-inf-on-partitioned-external-hard
Post blaster wormHello, I’m using a program Post Blaster Worm which is very useful software for me but I have a problem using this software on my pc. I used the add/remove option to uninstall and re-install to solve the problem and I also tried to repair it by the... en.kioskea.net/forum/affich-13488-post-blaster-worm
Not showing hidden files and foldersHello, Dear Ali and others. I was hit by virus / worm "autorun.inf" last week. I got rid of it by downloading, updating, and scanning with AVG 8.0, but it left me with the problem that my laptop with XP will not show any hidden files and folders and I... en.kioskea.net/forum/affich-21376-not-showing-hidden-files-and-folders
More answers

Results for The Sasser worm

Download Remover.exe GDataIt detects and deletes worms, trojans and backdoors : Mydoom, Beagle, Netsky, Sasser, Blaster Zafi, Mabutu, Startpage... en.kioskea.net/telecharger/telecharger-1426-remover-exe-gdata
Download Avira AntiVir Personal free for WindowsAvira AntiVir PersonalEdition Classic is a very good and free antivirus which reliably protects your private computer against dangerous viruses, worms, Trojans, rootkits and costly dialers. If you need, it's possible to download a release for Windows... en.kioskea.net/telecharger/telecharger-36-avira-antivir-personal-free-for-windows
Download Avira AntiVir Personal free for Linux / FreeBSD / OpenBSD / SolarisFor Linux / FreeBSD / OpenBSD / Solaris Avira AntiVir PersonalEdition Classic is a very good and free antivirus which reliably protects your private computer against dangerous viruses, worms, Trojans, rootkits and costly dialers. en.kioskea.net/telecharger/telecharger-110-avira-antivir-personal-free-for-linux-freebsd-openbsd-solaris
More answers

Results for The Sasser worm

Online Valentine cards may contain Internet worm, FBI warnsHeart illuminations for Valentine's Day. Valentine's Day e-greetings from a stranger could deliver more than the recipient bargained for in the shape of a destructive "Trojan horse" that hijacks computers, the FBI warned Tuesday.... en.kioskea.net/actualites/online-valentine-cards-may-contain-internet-worm-fbi-warns-10099-actualite.php3
More answers

Results for The Sasser worm

Viruses - Worms A worm is a self-reproducing program which can travel over networks using networking mechanisms, without requiring any software or hardware support (such as a hard drive, a host program, a file, etc.) to spread; a worm is therefore a network virus. ... en.kioskea.net/virus/worms.php3
Processes - autorun - autorun.exe The process autorun.exe (autorun) is a generic Windows 98/NT/Me/2000/XP process which automatically runs a program from a CD-ROM when the CD is inserted in the disk drive. The process autorun is not in any way a virus, a worm, a Trojan horse,... en.kioskea.net/processus/autorun-exe.php3
Viruses - Blaster / LovSan Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first virus to exploit the security hole in... en.kioskea.net/virus/lovsan-blaster.php3
More answers