Sasser.a and Sasser.b: Prevention and cure
Published: 05 May 2004 12:00 BST
Sasser and its variations are network-aware worms that do not require email or user interaction to spread. The worms use a bootstrap effect by infecting new machines first, then downloading the full code from a previously infected machine.
Sasser (w32.sasser.a) and Sasser.b (w32.sasser.b) are both 15,872 bytes long, and they randomly scan local networks and the Internet to look for additional systems to infect. This scanning could slow normal traffic on the Internet.
Vulnerable systems include Windows 2000 and Windows XP installations that have not had the Microsoft Security Bulletin patch MS04-011 installed and that are not running desktop firewall software. Sasser does not affect any other version of Windows, nor Linux, Unix, Mac OS, or any other operating system.
Because Sasser and its variations spread via the Internet and allow remote users to access your PC, this worm rates a 7 on the CNET/ZDNet Virus Meter.
How it works
Sasser takes advantage of a buffer-overrun flaw in the Local Security Authority Subsystem (LSASS), which allows an attacker to gain control of infected systems. Microsoft patched the flaw with MS04-011 on 13 April.
Sasser adds a copy of itself to the Windows directory under the name:
Sasser.a: AVSERVE.EXE
Sasser.b: AVSERVE2.EXE
It adds the following to the system Registry file:
Sasser.a: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve.exe = c:\Windows\avserve.exe
Sasser.b: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve2.exe = c:\Windows\avserve2.exe
This change to the Registry allows the worm to run once the machine reboots.
Previous
Did you find this article useful?
145 out of 265 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
