Discovered: May 2, 2004
Updated: May 3, 2004 8:55:49 PM
Systems Affected: Windows 2000, Windows XP
When W32.Sasser.B.Worm runs, it does the following:
Copies itself as %Windir%\avserve2.exe.
Creates a mutex named "Jobaka3" so that only a single instance is present in memory at any time.
Adds the value "avserve2.exe"="%Windir%\avserve2.exe" to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made, the worm sends shellcode to the host which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).
This particular variant spawns 1024 threads for the infection routine, where as previous variant W32.Sasser.B.Worm only uses 128 threads.
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine