1. /
  2. Security Response/
  3. W32.Sasser.B.Worm

W32.Sasser.B.Worm

Risk Level 2: Low

Discovered:
May 1, 2004
Updated:
February 13, 2007 12:22:23 PM
Also Known As:
WORM_SASSER.B [Trend], W32/Sasser.worm.b [McAfee], Worm.Win32.Sasser.b [Kaspersky, W32/Sasser-B [Sophos], Win32.Sasser.B [Computer Assoc, Sasser.B [F-Secure], W32/Sasser.B.worm [Panda], Win32/Sasser.B.worm [RAV], W32/Sasser.B [F-Prot]
Type:
Worm
Systems Affected:
Windows 2000, Windows XP
CVE References:
CAN-2003-0533


W32.Sasser.B.Worm is a variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. This worm spreads by scanning randomly selected IP addresses for vulnerable systems.

W32.Sasser.B.Worm differs from W32.Sasser.Worm as follows:
  • Uses a different mutex: Jobaka3.
  • Uses a different file name: avserve2.exe.
  • Has a different MD5.
  • Creates a different value in the registry: "avserve2.exe."


Notes:
  • The MD5 hash value of this worm is 0x1A2C0E6130850F8FD9B9B5309413CD00.
  • Block TCP ports 5554, 9996, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.


W32.Sasser.B.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly run, including our removal tool. (On Windows 95/98/Me computers, the tool should be run in Safe mode.)

Security Response has provided some information to aid network administrators in ongoing efforts to track down W32.Sasser.Worm infected machines on their respective network. Please see the document, "Detecting traffic due to LSASS worms" for additional information.

Antivirus Protection Dates

  • Initial Rapid Release version May 1, 2004
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version May 1, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date May 1, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Medium
  • Number of Infections: More than 1000
  • Number of Sites: More than 10
  • Geographical Distribution: High
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Low

Distribution

  • Distribution Level: High
Writeup By: Heather Shannon

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver