Sasser Information

The Short and Skinny of It:
The Sasser Worm takes advantage of a known LSASS vulnerability in Windows 2000/XP/NT systems described in Microsoft Security Bulletin MS04-011.

Once a system is infected with the worm, Sasser will create a mutex, add a registry key, and open an FTP server on port 5554 to attempt to spread itself by connecting to randomly generated IP addresses on TCP port 445. If a connection is made it will then send shell code to open a remote shell on port 9996. The shell is then used to reconnect to the FTP server on port 5554 to retreive the worm. There are a number of variants of the worm and each has minor deviations from this description.

More Detailed Information:

• W32.Sasser.Worm information from Symantec
• W32.Sasser.B.Worm information from Symantec
• W32.Sasser.C.Worm information from Symantec
• W32.Sasser.D.Worm information from Symantec

Microsoft Security Bulletin MS04-011 Fixes by Operating System to prevent the LSASS exploit:

• Windows 2000
• Windows XP
• Windows NT Requires SP 6a
• Windows Server 2003

Free Removal Tool:
FxSasser Removal Tool from Symatec

Preventing Infections of this Nature in the Future:
Sometimes the tried and tested solutions are among the best to implement. In this case, and in many others, the impact of viruses/trojans/worms can be reduced or even eliminated by the installation of antivirus software on all systems in your network and by the use of either a hardware firewall (the preferred choice) and use of NAT (Network Address Translation) for your entire network, or firewall software on each station.

Need Help?:
If the above information is too overwhelming or confusing or you need help either dealing with the present threat or strengthening your network defenses for the future, please contact us here at Craftix and we'll be glad to assist.