Sasser.a and Sasser.b: Prevention and cure

• Tags:
• Help,
• Cure,
• Remove,
• Sasser.b

Robert Vamosi CNET News

Published: 05 May 2004 12:00 BST

• 
• 
• 
• 
• 

Sasser and its variations are network-aware worms that do not require email or user interaction to spread. The worms use a bootstrap effect by infecting new machines first, then downloading the full code from a previously infected machine.

Sasser (w32.sasser.a) and Sasser.b (w32.sasser.b) are both 15,872 bytes long, and they randomly scan local networks and the Internet to look for additional systems to infect. This scanning could slow normal traffic on the Internet.

Vulnerable systems include Windows 2000 and Windows XP installations that have not had the Microsoft Security Bulletin patch MS04-011 installed and that are not running desktop firewall software. Sasser does not affect any other version of Windows, nor Linux, Unix, Mac OS, or any other operating system.

Because Sasser and its variations spread via the Internet and allow remote users to access your PC, this worm rates a 7 on the CNET/ZDNet Virus Meter.

How it works
Sasser takes advantage of a buffer-overrun flaw in the Local Security Authority Subsystem (LSASS), which allows an attacker to gain control of infected systems. Microsoft patched the flaw with MS04-011 on 13 April.

Sasser adds a copy of itself to the Windows directory under the name:
Sasser.a: AVSERVE.EXE
Sasser.b: AVSERVE2.EXE

It adds the following to the system Registry file:
Sasser.a: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve.exe = c:\Windows\avserve.exe
Sasser.b: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve2.exe = c:\Windows\avserve2.exe

This change to the Registry allows the worm to run once the machine reboots.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed