Win32/Sasser [Threat Name] go to Threat

Win32/Sasser.A [Threat Variant Name]

Category worm
Detection created May 01, 2004
Detection database version 745
Short description

Win32/Sasser.A is a worm that spreads by exploiting a vulnerability in Microsoft Windows .

Installation

When executed, the worm copies itself into the %windir% folder using the following name:

  • avserve.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion\­Run]
    • "avserve.exe" = "%windir%\­avserve.exe"
Spreading

The worm generates random IP addresses.


By connecting to remote machines to port 445 it tries to exploit the LSASS vulnerability (CAN-2003-0533) .


If it succeeds, a copy of the worm is retrieved from the attacking machine using FTP protocol.

Other information

The worm opens TCP port 5554 .


An FTP server is listening there.

Please enable Javascript to ensure correct displaying of this content and refresh this page.