Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
- Discovered:
- May 3, 2004
- Updated:
- February 13, 2007 12:22:29 PM
- Also Known As:
- W32/Sasser-D [Sophos], WORM_SASSER.D [Trend], W32/Sasser.worm.d [McAfee], Win32.Sasser.D [Computer Assoc, Worm.Win32.Sasser.d [Kaspersky
- Type:
- Worm
- Systems Affected:
- Windows 2000, Windows XP
- CVE References:
- CAN-2003-0533
The W32.Sasser.D worm:
- Is a variant of W32.Sasser.Worm.
- Attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
- Spreads by scanning randomly selected IP addresses for vulnerable systems.
W32.Sasser.D differs from W32.Sasser.Worm as follows:
- Uses a different mutex: SkynetSasserVersionWithPingFast.
- Uses a different file name: skynetave.exe.
- Has a different file size: 16,384 bytes.
- Has a different MD5.
- Creates a different value in the registry: "skynetave.exe."
- Uses a different port for the remote shell: 9995/tcp.
- Will exit before running any code with an error on some Windows 2000 systems.
- Has an updated routine for finding vulnerable computers. W32.Sasser.D sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.
W32.Sasser.D can only execute on Windows XP systems. The worm can exploit a vulnerable (unpatched) Windows 2000 machine remotely and copy itself to that machine. However, it will exit before running any code. In such cases, this worm will produce the following error:
The procedure entry point IcmpSendEcho could not be located in the dynamic link library iphlpapi.dll.
Notes:
- The MD5 hash value of this worm is 0X03F912899B3D90F9915D72FC9ABB91BE.
- Block TCP ports 5554, 9995, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.
- This threat is written in C++ and is packed with PECompact.
Antivirus Protection Dates
- Initial Rapid Release version May 3, 2004
- Latest Rapid Release version September 28, 2010 revision 054
- Initial Daily Certified version May 3, 2004
- Latest Daily Certified version September 28, 2010 revision 036
- Initial Weekly Certified release date May 3, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 50 - 999
- Number of Sites: More than 10
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Moderate
Damage
- Damage Level: Medium
Distribution
- Distribution Level: High
Writeup By: John Canavan
