W32.Sasser.F.Worm

W32.Sasser.F.Worm is a variant of W32.Sasser.Worm. This worm attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems.

W32.Sasser.F.Worm differs from W32.Sasser.Worm as follows:

• Uses a different mutex: billgate.
• Uses a different file name: napatch.exe.
• Creates a different value in the registry: "napatch.exe."

---

Notes:

• The MD5 hash value of this worm is 0x9d8d3837ef0dca757231349b5f81f26e.
• Block TCP ports 5554, 9996, and 445 at the perimeter firewall and installs the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.

---

W32.Sasser.F.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly run, including our removal tool. (On Windows 95/98/Me computers, the tool should be run in Safe mode.)

Protection

• Initial Rapid Release version May 11, 2004
• Latest Rapid Release version July 19, 2008 revision 019
• Initial Daily Certified version May 11, 2004
• Latest Daily Certified version January 20, 2009 revision 048
• Initial Weekly Certified release date May 12, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low

Distribution

• Distribution Level: High