Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:Sasser
Type:Worm 
Size:15,872 bytes 
Origin:unknown 
Date:05-01-2004 
Damage:Uses the LSASS vulnerability 
VDF Version:6.25.00.42 
Danger:Medium 
Distribution:Medium 

General DescriptionWorm/Sasser.A is a worm of 15,872 bytes size. It copies itself in Windows system, as avserve.exe. It uses Microsoft LSASS (Local Security Authority Subsystem Service) security hole. The worm will install itself in Windows XP or Windows 2000, if all patches from Microsoft are not applied or no Internet Firewall is active. It is an annoying worm, which repeatedly restarts your computer.

SymptomsIn drive C: the file WIN.LOG can be seen.

DistributionBy using Microsoft LSASS vulnerability.

Technical DetailsWorm/Sasser.A spreads itself using the Microsoft LSASS (Local Security Authority Subsystem Service) security hole. See:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm can install itself on the Windows XP or Windows 2000 system if the above patch was not applied. It searches for more vulnerabile computers over port TCP 445/ TCP 9996. It uses a FTP Script to send files over port 5554. Worm/Sasser.A copies itself in Windows as AVSERVE.EXE and makes the following
registry entry, to be activated by the next system start:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"avserve.exe"="C:\\%WinDir%\\avserve.exe"

The file C:\WIN.LOG contain the number of the infected hosts, together with the IP address of the host most recently attempted to be compromised.

The worm creates more copies of itself in Windows, named
<%5 random numbers%>_up.exe.

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* \%WinDir%\AVSERVE.EXE
* \%WinDir%\%SystemDir%\<%5 random numbers%>_up.exe
* C:\WIN.LOG

Start "regedit" after that and delete the following registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"avserve.exe"="C:\\%WinDir%\\avserve.exe"

Restart your computer.
Description inserted by Crony Walker on Thursday, January 20, 2005

Back . . . .