The W32.Sasser.D worm:
- Is a variant of W32.Sasser.Worm.
- Attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
- Spreads by scanning randomly selected IP addresses for vulnerable systems.
W32.Sasser.D differs from W32.Sasser.Worm as follows:
- Uses a different mutex: SkynetSasserVersionWithPingFast.
- Uses a different file name: skynetave.exe.
- Has a different file size: 16,384 bytes.
- Has a different MD5.
- Creates a different value in the registry: "skynetave.exe."
- Uses a different port for the remote shell: 9995/tcp.
- Will exit before running any code with an error on some Windows 2000 systems.
- Has an updated routine for finding vulnerable computers. W32.Sasser.D sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.
W32.Sasser.D can only execute on Windows XP systems. The worm can exploit a vulnerable (unpatched) Windows 2000 machine remotely and copy itself to that machine. However, it will exit before running any code. In such cases, this worm will produce the following error:
The procedure entry point IcmpSendEcho could not be located in the dynamic link library iphlpapi.dll.
Notes:
- The MD5 hash value of this worm is 0X03F912899B3D90F9915D72FC9ABB91BE.
- Block TCP ports 5554, 9995, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.
- This threat is written in C++ and is packed with PECompact.
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
