Besoin d’aide ? Fais appel à la communauté ou embauche un spécialiste.
Aller à Avira Answers
Alias:W32/Sasser.worm.a, WORM_SASSER.A
Size:15.872 Bytes 
Damage:Uses LSASS security hole. 
VDF Version: 

DistributionIt starts an FTP server on TCP port 5554 and so it spreads on other systems.
It collects IP addresses from the infected systems and generates new ones, similar to those collected.

Through TCP port 445, the worm contacts other systems, on which the LSASS security hole has not been patched. If the connection succeeds, a shell code is sent to the other system, for opening the TCP port 9996. If the shell code is used for reaching back to the infected computer, it switches on TCP port 5554 and the other 'clean' system gets a worm copy. This copy is named using 4 or 5 numbers, followed by _up.exe. For example: 74354_up.exe.

Technical DetailsA mutex (Jobaka3l) ensures that there is no other active task of the worm on the system.
The worm is copied as %WinDIR%\avserve.exe and it makes the autostart registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "avserve.exe"="%WinDIR%\avserve.exe"
It uses AbortSystemShutdown API, for hiding computer shut-down or restart.
The Lsass.exe process is ended after the worm has used Windows LSASS security hole. Windows displays a message and shuts the system down in a minute.
The worm creates the file C:\win.log, which contains the IP addresses of the computers it tried to infect and the number of infected systems.
Description insérée par Crony Walker le mardi 15 juin 2004

Retour . . . .