W32/Sasser-D

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	3 May 2004 16:17:52 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Sasser-D.

More Information

Summary
Action
More Information

W32/Sasser-D is a network worm that exploits the Windows LSASS vulnerability.

W32/Sasser-D generates random IP addresses and attempts to send them an ICMP echo. If successful, W32/Sasser-D attempts to connect to them on ports TCP/9995 and TCP/445 and exploit the LSASS vulnerability. An FTP script is
then downloaded and executed which connects back on port 5554 to download a copy of the worm via FTP.

For further information on this vulnerability see http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.

When first run W32/Sasser-D copies itself to the Windows folder with the filename skynetave.exe and creates the registry entry, so the worm is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
skynetave.exe = %WINDOWS%\skynetave.exe

A harmless text file is created in the C:\ root folder named win2.log.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sasser-D

Summary

Action

More Information