Home / malware Win32.Worm.Sasser.{A-C}
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Worm.Sasser.{A-C} is also known as WORM_SASSER, Win32.HLLW.Jobaka.
Explanation :
The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011.
It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spawned on port 9996.
Then it opens a FTP server on the remote computer that listens on port 5554, sends and executes itself on the remote machine.
Once executed, the worm drops a file in the Windows directory (%WINDIR%):
%WINDIR%avserve.exe -- Win32.Worm.Sasser.A
%WINDIR%avserve2.exe -- Win32.Worm.Sasser.B,C
and creates the registry key:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
with the value:
"avserve.exe" = "%WINDIR%avserve.exe" -- Win32.Worm.Sasser.A
"avserve2.exe" = "%WINDIR%avserve2.exe" -- Win32.Worm.Sasser.B,CLast update 21 November 2011