WORM_SASSER.A - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_SASSER.A

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Net-Worm.Win32.Sasser.a (Kaspersky), W32/Sasser.worm.a (McAfee), W32.Sasser.gen (Symantec), Worm/Rbot.328262 (Avira), W32/Sasser-F (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description: (See also Overview Diagram)

This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:

To propagate, it scans the network for vulnerable systems. When it finds a vulnerable system, this malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.

It creates the script file CMD.FTP, which contains instructions for the vulnerable system to download and execute a copy of this malware from a remote infected system using FTP on TCP port 5554.

This worm can cause LSASS to crash and force Windows to restart. In this case, the following message boxes may also appear:

�LSA

�System

Important: Trend Micro advises users to apply the critical patch related to the Windows LSASS vulnerability, which is available at the following Microsoft page:

Microsoft Security Bulletin MS04-011

Notes on Windows 2003 Server:

Analysis and tests done on this malware show that it can execute and create registry entries on Windows 2003 server, but it fails to exploit the LSASS service in the said operating system version.
Although Microsoft reports that the Windows 2003 Server is also vulnerable to the LSASS exploit, there may exist a code error within the malware exploit packet that prevents it from exploiting the LSASS vulnerability on the said platform.

The following paper provides a thorough look into the different events that shaped Sasser's emergence and gives an extensive discussion about its implications:

The SASSER Event: History and Implications

Overview Diagram:

Spread Mechanism

Affected Software

Port 445 (TCP)

Vulnerability Name:
Microsoft Security Bulletin MS04-011 Vulnerability Title:
Windows LSASS vulnerability
Affected Software: Windows 2000, XP

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 1, 2004 12:32:49 AM GMT -0800
Description updated: May. 6, 2004 5:18:50 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.