W32.Sasser worm and variants is a worm that attempts to exploit the
Microsoft Windows LSASS vulnerability MS04-011.
W32.Sasser worm variants discovered by antivirus vendor:
- W32.Sasser.A worm
- W32.Sasser.B worm
- W32.Sasser.C worm (Updated on 4May 2003)
- W32.Sasser.D worm (Updated on 4May 2003)
The worms spreads by scanning randomly-chosen IP addresses and attempts
to connect to the vulnerable computer on TCP port 445. If it connects
successfully, it sends a specially crafted packet to expliot this vulnerability.
Once the computer is attacked by the worm, the following message boxes
may appear:
The worm uses this to open a remote shell, listening on TCP port 9996
(W32.Sasser.A - C worm) or 9995 (W32.Sasser.D worm). It connects to
this port and uses the shell to create an ftp script called "cmd.ftp"
on the system directory of infected computer. The script instructs the
infected computer to download and execute a copy of the worm via FTP.
The FTP server listens on TCP port 5554 on all infected computers with
the purpose of serving out the worm for other computer that are being
infected. Transactions through the FTP server are logged to 'C:\win.log'.
Windows 95/98/Me and Windows NT/2000/XP/2003
W32/Sasser-A, W32/Sasser-B and W32/Sasser-D can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.
Windows disinfector
SASSGUI is a disinfector for standalone Windows computers
If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.
After removing the worm you should install the Microsoft patch MS04-011 or, on single computers, update with all relevant security patches from Windows
update.
Command line disinfector
SASSSFX.EXE is a self-extracting archive containing SASSCLI, a Resolve command line disinfector for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program.
After removing the worm you should install the Microsoft patch MS04-011 or, on single computers, update with all relevant security patches from Windows
update.
Other platforms
To remove W32/Sasser-A, W32/Sasser-B and W32/Sasser-D on other platforms please follow the instructions for removing
worms.
Related Link(s)
For more information, please refer to the following websites.
Information from Computer Associates : variants A,
B,
C,
D
Information from F-Secure : variants A,
B,
C,
D
Information from McAfee : variants A,
B,
C,
D
Information from Norman : variants A
, B
Information from Sophos : variants A,
B,
D
Information from Symantec : variants A
, B,
C,
D
Information from Trend Micro : variants A
, B,
C,
D
For more information, please refer to the following websites.
http://www.hkcert.org
News Contact
Service Hotline: (852) 2998 0808
Fax: (852) 29977800
Email: service@communilink.net