W32/Sasser-E

Category	Viruses and Spyware
Type	Worm
What to do	Please contact support for assistance with removal.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	June 2004 (3.82)
Protection available since	9 May 2004 23:49:20 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please read the instructions for removing W32/Sasser-E.

More Information

Summary
Action
More Information

W32/Sasser-E is a network worm which spreads by exploiting the Microsoft LSASS vulnerability.

For further information on this vulnerability see Microsoft Security Bulletin MS04-011.

When first run W32/Sasser-E copies itself to the Windows folder with the filename lsasss.exe and creates the following registry entry so the worm is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
LSASS SVR = lsasss.exe

W32/Sasser-E attempts to connect out on port TCP/1022 and TCP/445. An FTP script is then downloaded and executed which connects back on port TCP/1023 to download a copy of the worm via FTP.

W32/Sasser-E displays a message box two hours after execution,
encouraging users to apply the Microsoft security patch.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Sasser-E

Summary

Action

More Information