Please note: Sophos detects both the B and C variants of the Sasser worm as W32/Sasser-B.
W32/Sasser-B is a network worm which spreads by exploiting the Microsoft LSASS vulnerability on port 445.
For further information on this vulnerability see Microsoft Security Bulletin MS04-011.
When first run W32/Sasser-B copies itself to the Windows folder as avserve2.exe and creates the following registry entry, so that avserve2.exe is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
avserve2.exe = %WINDOWS%\avserve2.exe
A harmless text file is created in the C:\ root folder named win2.log.
Further reading:
Sasser internet worm attacks unpatched PCs, Sophos advises of virus threat