W32/Sasser-E

Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Protection available since	9 May 2004 23:49:20 (GMT)
Last updated	6 February 2009 19:41:27 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for disinfecting PE executables.

Please read the instructions for removing W32/Sasser-E.

More Information

Summary
Action
More Information

W32/Sasser-E is a network worm spread by exploiting
a Microsoft LSASS vulnerability.

The worm copies itself to the Windows folder and sets
the following registry entry to auto-start on user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LSASS SVR = lsasss.exe

W32/Sasser-E attempts to connect out on port TCP/1022 and
TCP/445 and exploit the LSASS vulnerability. An FTP script
is then downloaded and executed which connects back on
port TCP/1023 to download a copy of the worm via FTP.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Sophos blogs

W32/Sasser-E

Summary

Action

More Information