Home / malwarePDF  

Win32.Worm.Sasser.{A-C}


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Sasser.{A-C} is also known as WORM_SASSER, Win32.HLLW.Jobaka.

Explanation :

The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011.

It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spawned on port 9996.

Then it opens a FTP server on the remote computer that listens on port 5554, sends and executes itself on the remote machine.

Once executed, the worm drops a file in the Windows directory (%WINDIR%):

%WINDIR%avserve.exe -- Win32.Worm.Sasser.A
%WINDIR%avserve2.exe -- Win32.Worm.Sasser.B,C
and creates the registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
with the value:
"avserve.exe" = "%WINDIR%avserve.exe" -- Win32.Worm.Sasser.A
"avserve2.exe" = "%WINDIR%avserve2.exe" -- Win32.Worm.Sasser.B,C

Last update 21 November 2011

 

TOP