Technorati
Digg
Delicious
Reddit
StumbleUpon
Facebook
Yahoo
Twitter
Faves
Newsvine
- Discovered:
- May 9, 2004
- Updated:
- February 13, 2007 12:22:50 PM
- Type:
- Worm
- Systems Affected:
- Windows 2000, Windows XP
- CVE References:
- CAN-2003-0533
W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability, described in Microsoft Security Bulletin MS04-011, and spreads by scanning randomly selected IP addresses for vulnerable systems.
W32.Sasser.E.Worm differs from W32.Sasser.Worm as follows:
- Uses a different mutex: SkynetNotice.
- Uses a different file name: lsasss.exe.
- Creates a different value in the registry: "lsasss.exe"
- Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
- After 2 hours of running it displays a message.
- It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
- The name of the file retrieved from the FTP server is followed by _update.exe.
- The worm logs data into the file C:\ftplog.txt.
- Has an updated routine for finding vulnerable computers. W32.Sasser.E.Worm sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.
W32.Sasser.E.Worm can run on, but not infect, Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable computers.
Antivirus Protection Dates
- Initial Rapid Release version May 9, 2004
- Latest Rapid Release version September 28, 2010 revision 054
- Initial Daily Certified version May 9, 2004
- Latest Daily Certified version September 28, 2010 revision 036
- Initial Weekly Certified release date May 9, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
- Wild Level: Low
- Number of Infections: 50 - 999
- Number of Sites: More than 10
- Geographical Distribution: Low
- Threat Containment: Easy
- Removal: Moderate
Damage
- Damage Level: Low
Distribution
- Distribution Level: High
Writeup By: Sergei Shevchenko
