The Sasser Worm

May 03, 2004


Symantec Security Response - W32.Sasser.B.Worm
PSS Security Response Team Alert - New Worm Sasser

The worm exploits the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011 (835732) on April 13, 2004. As of right now, there are 2 other variants of this worm.

A friend of mine called me from his job Sunday evening for help clearing it off of most of the computers in his department. It's pretty nasty, seems to totally screw up the LSASS service. (Local Security Authority Subsystem Service provides an interface for managing local security, domain authentication, and Active Directory processes. It handles authentication for the client and for the server.) He had issues opening programs (event viewer, msconfig, etc) because of authentication issues, the computer would reboot, safe mode would have issues, the cpu would max out..

Here are details from Symantec:

1. Attempts to create a mutex called Jobaka3 and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
2. Copies itself as %Windir%\avserve2.exe.
3. Adds the value: "avserve2.exe"="%Windir%\avserve2.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that the worm runs when you start Windows.
4. Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.
5. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
6. Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).