WORM_SASSER.E - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_SASSER.E

Overview

Solution

Technical Details

Malware type: Worm

Aliases: W32/Sasser.worm.e, W32.Sasser.E.Worm, Sasser.E

In the wild: No

Destructive: No

Language: English

Platform: Windows 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This SASSER worm variant contains similar routines as the earlier variants, except for the following unique characteristics:

The file name of its dropped copy is LSASSS.EXE.
It uses port 1023 instead of port 5554 and port 1022 instead of port 9996.

Note: The file LSASS.EXE is a VALID Windows file and must not be confused with LSASSS.EXE, the file dropped by this worm.

It exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the infected system. This vulnerability is discussed in detail in the following pages:

To propagate, it scans for vulnerable systems at TCP port 445 and sends a specially-crafted packet to produce a buffer overflow on LSASS.EXE. The packet runs a remote shell that opens port 1022. This worm commands the remote shell to download its copy from the original infected source via port 1023 using FTP.

This worm can cause LSASS to crash and force Windows to restart. In this case, the following message boxes may appear:

LSA

System

It also has a payload of displaying a message box with the follwing text strings:

1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar
the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch
from the www.microsoft.com website
4. This is an message from the SkyNet Team for
malicious activity prevention

Notes on Windows 2003 Server:

Analysis and tests done on this malware show that it can execute and create registry entries on Windows 2003 server, but it fails to exploit the LSASS service in the said operating system version.
Although Microsoft reports that the Windows 2003 Server is also vulnerable to the LSASS exploit, there may exist a code error within the malware exploit packet that prevents it from exploiting the LSASS vulnerability on the said platform.

The following article provides a thorough look into the different events that shaped Sasser's emergence and gives an extensive discussion about its implications:

The SASSER Event: History and Implications

For additional information about this threat, see:
Solution
Technical Details

Description created: May. 8, 2004 10:51:11 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.