W32/Sasser.A
Threat risk
|
Detection files published:
01 May 2004 |
Description created:
2004-05-01 |
Description updated:
2004-05-05 |
|
Alias:
|
Spreading mechanism
Network | |
|
Payload:
Sets up backdoors on infected computers; may cause system instability. | ||
Summary
This is a worm that spreads over network connections (not email) without any user interaction. File size is 15872 bytes.
Spreading description
This worm spreads by connecting to other computers and attempt to use the security vulnerability detailed in the MS 04-011 security bulletin . The attack will come in on port 445/tcp, and will, if the computer is vulnerable, cause a buffer overrun in LSASS.EXE. This again gives the worm the opportunity to set up a remote shell on the attacked computer. Using this remote shell, the attacked computer is now instructed to fetch the worm file from the infected computer via FTP, and execute it.
When executed, the worm copies itself to the Windows directory using the name AVSERVE.EXE. A number of other files may also be created as part of the infection process.
Registry keys created by the worm:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun avserve.exe = %WINDIR%avserve.exe
Threat description
As part of the infection process, the worm sets up backdoors on infected computers.
- a remote shell on port 9996/tcp
- a FTP server on port 5554/tcp
These can be used by an attacker to gain access to infected computers.
Attacked systems may also be unstable because of the overflow attack agains LSASS.EXE.
Removal
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilisation | Titre | Commentaire |
|---|---|---|
| Stopper la propagation des virus sur les partages réseau | ||
| Cleaning of back-up folders on Windows Me and XP |
