high
Summary
Summary
Action- More Information
| Protection available since | 1 May 2004 06:48:08 (GMT) |
|---|---|
| Last updated | 12 May 2004 09:34:45 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing W32/Sasser-A.
More Information
W32/Sasser-A worm is a self-executing network worm, which travels from infected machines via the internet, exploiting a Microsoft Windows vulnerability MS04-011, and instructs vulnerable systems to download and execute the viral code.
It does not spread via email.
Infected computers may run more slowly than normal and shut down intermittently.
W32/Sasser-A attempts to connect to computers through ports TCP/9996 and TCP/445. If the Windows computers are not patched against the LSASS vulnerability, an FTP script is downloaded and executed, which connects to port 5554 and downloads a copy of the worm via FTP (File Transfer Protocol).
The worm copies itself to the Windows folder with the filename avserve.exe and sets the following registry key to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
The Microsoft vulnerability was first reported on 13 April, and Microsoft have issued protection, which can be downloaded from Microsoft Security Bulletin MS04-011.
Further reading: Information on the Sasser internet worm
|
