SecurityHome.eu Win32.Worm.Sasser.{A-C}

Home / malware PDF

Win32.Worm.Sasser.{A-C}

First posted on 21 November 2011.
Source: BitDefender
Aliases :
Win32.Worm.Sasser.{A-C} is also known as WORM_SASSER, Win32.HLLW.Jobaka.
Explanation :
The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011.

It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spawned on port 9996.

Then it opens a FTP server on the remote computer that listens on port 5554, sends and executes itself on the remote machine.

Once executed, the worm drops a file in the Windows directory (%WINDIR%):

%WINDIR%avserve.exe -- Win32.Worm.Sasser.A
%WINDIR%avserve2.exe -- Win32.Worm.Sasser.B,C
and creates the registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
with the value:
"avserve.exe" = "%WINDIR%avserve.exe" -- Win32.Worm.Sasser.A
"avserve2.exe" = "%WINDIR%avserve2.exe" -- Win32.Worm.Sasser.B,C
Last update 21 November 2011

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20