W32.Sasser.C.Worm

Printer Friendly Page

Discovered: May 02, 2004
Updated: May 03, 2004 8:55:49 PM
Systems Affected: Windows

W32.Sasser.C.Worm is a worm that attempts to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108). The worm spreads by randomly scanning IP addresses for vulnerable systems. It is a minor variant of W32.Sasser.B.Worm. It spawns 1024 threads in an attempt to spread itself in comparison to 128 threads spawned by W32.Sasser.B.Worm.

Discovered: May 02, 2004
Updated: May 03, 2004 8:55:49 PM
Systems Affected: Windows

When W32.Sasser.B.Worm runs, it does the following:

Copies itself as %Windir%\avserve2.exe.

Creates a mutex named "Jobaka3" so that only a single instance is present in memory at any time.

Adds the value "avserve2.exe"="%Windir%\avserve2.exe" to the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made, the worm sends shellcode to the host which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

This particular variant spawns 1024 threads for the infection routine, where as previous variant W32.Sasser.B.Worm only uses 128 threads.