1. Symantec/
  2. Security Response/
  3. W32.Sasser.D

W32.Sasser.D

Risk Level 2: Low

Discovered:
May 3, 2004
Updated:
February 13, 2007 12:22:29 PM
Also Known As:
W32/Sasser-D [Sophos], WORM_SASSER.D [Trend], W32/Sasser.worm.d [McAfee], Win32.Sasser.D [Computer Assoc, Worm.Win32.Sasser.d [Kaspersky
Type:
Worm
Systems Affected:
Windows
CVE References:
CAN-2003-0533

The W32.Sasser.D worm:
  • Is a variant of W32.Sasser.Worm.
  • Attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
  • Spreads by scanning randomly selected IP addresses for vulnerable systems.

W32.Sasser.D differs from W32.Sasser.Worm as follows:
  • Uses a different mutex: SkynetSasserVersionWithPingFast.
  • Uses a different file name: skynetave.exe.
  • Has a different file size: 16,384 bytes.
  • Has a different MD5.
  • Creates a different value in the registry: "skynetave.exe."
  • Uses a different port for the remote shell: 9995/tcp.
  • Will exit before running any code with an error on some Windows 2000 systems.
  • Has an updated routine for finding vulnerable computers. W32.Sasser.D sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.

W32.Sasser.D can only execute on Windows XP systems. The worm can exploit a vulnerable (unpatched) Windows 2000 machine remotely and copy itself to that machine. However, it will exit before running any code. In such cases, this worm will produce the following error:

The procedure entry point IcmpSendEcho could not be located in the dynamic link library iphlpapi.dll.


Notes:
  • The MD5 hash value of this worm is 0X03F912899B3D90F9915D72FC9ABB91BE.
  • Block TCP ports 5554, 9995, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.
  • This threat is written in C++ and is packed with PECompact.


Antivirus Protection Dates

  • Initial Rapid Release version May 3, 2004
  • Latest Rapid Release version September 28, 2010 revision 054
  • Initial Daily Certified version May 3, 2004
  • Latest Daily Certified version September 28, 2010 revision 036
  • Initial Weekly Certified release date May 3, 2004
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: John Canavan

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube