W32/Sasser-A worm is a self-executing network worm, which travels from infected machines via the internet, exploiting a Microsoft Windows vulnerability MS04-011, and instructs vulnerable systems to download and execute the viral code.
It does not spread via email.
Infected computers may run more slowly than normal and shut down intermittently.
W32/Sasser-A attempts to connect to computers through ports TCP/9996 and TCP/445. If the Windows computers are not patched against the LSASS vulnerability, an FTP script is downloaded and executed, which connects to port 5554 and downloads a copy of the worm via FTP (File Transfer Protocol).
The worm copies itself to the Windows folder with the filename avserve.exe and sets the following registry key to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
The Microsoft vulnerability was first reported on 13 April, and Microsoft have issued protection, which can be downloaded from Microsoft Security Bulletin MS04-011.
Further reading: Information on the Sasser internet worm