W32/Sasser-F is a network worm which spreads by exploiting a Microsoft
LSASS vulnerability.
The worm copies itself to the Windows folder as NAPATCH.EXE and sets the
following registry entry to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
nvpatch = napatch.exe
W32/Sasser-F attempts to connect to random IP addresses on ports TCP/445
and TCP/9996 and then exploit the LSASS vulnerability. If successful an FTP
script is uploaded to and executed on the remote computer which then connects back on port 5554 to download a copy of the worm via FTP.
W32/Sasser-F may cause the program LSASS.EXE to terminate which generally
prompts Windows to shutdown and reboot. However W32/Sasser-F attempts to prevent a system shutdown.