W32/Sasser-E is a network worm spread by exploiting
a Microsoft LSASS vulnerability.
The worm copies itself to the Windows folder and sets
the following registry entry to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LSASS SVR = lsasss.exe
W32/Sasser-E attempts to connect out on port TCP/1022 and
TCP/445 and exploit the LSASS vulnerability. An FTP script
is then downloaded and executed which connects back on
port TCP/1023 to download a copy of the worm via FTP.