To sift

Sasser is a data-processing Ver which is propagated in a way different from traditional the MyDoom.A and derived. The first infections took place the April 30th 2004 on the machines to which the corrective measure of safety provided by Microsoft since April 13rd, 2004 had not been applied.

This worm is propagated automatically by port 445 on any machine connected in network, if it is equipped with the Operating system Microsoft Windows 2000, Windows XP or Windows Server 2003 and without the corrective measure necessary (or if it is not protected by a correctly configured Pare-feu).

An infected machine downloads a program which it automatically carries out without the knowledge of the user. This program then seeks in the network the machines likely to be contaminated and is propagated there if that proves to be possible. Among the side effects induced by the execution of the virus, one notes inopportune restartings of the machine as well as error messages.

Of a size of 15 872 bytes (for the initial version), it benefits from a fault LSASS of Windows to download on the infected machine a file named avserve.exe in the Windows repertory via ftp and the port TCP 5554 and launches its remote execution without any intervention of the user.

Then, the worm copies itself in the repertory System with a random name ending in _up.exe . It modifies the Register base to launch out to each starting. It launches a hundred and twenty-eight simultaneous processes then in order to sweep the network and to find new hosts. The system is finally made unstable, from where a planting of Lsass.exe and an automatic restarting accompanied by the error message: LSA Shell has encountered has problem and needs to closed. We are sorry for the inconvenience .

According to the first estimates, they are several million machines which were reached by Sasser as of the first days.

Like the Blaster ( Lovesan ), it appeared little of time after the publication by Microsoft of corrective measure MS04-011 of the vulnerability which it exploits.

The operating systems of the type GNU/Linux, Mac OS, Unix or others are not sensitive to this virus.

A German 18 years, Sven Jaschan, author of the worm, was stopped by the police force of its country on May 7th 2004, that is to say a few days hardly after the exit of the worm. In spite of this arrest, the alternative E To sift appeared on Internet. He would have acknowledged to have also created the worm Netsky to be opposed to the worms MyDoom and Bagle. He was condemned on July 8th 2005 to suspended sentence but works from now on in a company of computer security.

Known alternatives

According to the editors of antivirus, the name of identification of the worm is different: W32/Sasser.x@MM, W32.Sasser.X@mm, WORM_SASSER.X, W32/Sasser-X or Win32.Sasser.X. “X” being a new alternative:

Sasser.A principal stock of the infection.
Sasser.B identified on May 1st 2004. This alternative is distinguished from Sasser.A by the name of the viral achievable file (AVSERVE2.EXE instead of AVSERVE.EXE) and the name of the file log (WIN2.LOG instead of WIN.LOG).
Sasser.C identified the May 2nd 2004 this alternative is distinguished from Sasser.B by the fact that it launches 1024 simultaneous processes instead of 128 to carry out the routine of infection and to support the propagation of the worm.
Sasser.D identified the May 3rd 2004, the achievable one launched names SKYNETAVE.EXE and its size is of 16 384 bytes
Sasser.E, identified the May 9th 2004, the achievable one launched names LSASSS.EXE (with an S in addition to the lsass.exe of Microsoft), it tries to modify register base to decontaminate the worm Bagle, then posts a window of alarm recommending the installation of corrective measure MS04-011 from Microsoft
Sasser.F, identified the May 11th 2004, that is to say 4 days after the arrest of the presumed author. The achievable one launched names NAPATCH.EXE, its size is of 74 752 bytes.

External bonds

Page of follow-up of Microsoft
Page of details of the site Secuser
Bulletin of alarm and follow-up K-Otik

Random links: