Sasser

W32/Sasser.worm and variants updated 5/4/2004, 11:45 AM

A new worm has been detected in the wild and at NIH. It spreads by exploiting a Microsoft Windows vulnerability [MS04-011 vulnerability (CAN-2003-0533)]

The worm spreads with the file name: avserve.exe (w32/Sasser), avserve2.exe (W32/Sasser.b and C) and skynetave.exe (W32/Sasser.d)

Important information from Microsoft regarding this patch is at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

A side effect of this worm is that it may cause the LSASS.exe process to crash which leads to the machine rebooting.

NAI's Stinger removal tool for W32/Sasser, W32/Sasser.b and W32/Sasser.c is available here

Symantec's removal tool for W32.Sasser (including the "b" and "c" variants) is available here

Microsoft's removal tool for Sasser.A and Sasser.B is available here

ISSO's and Admins can use the Retina scanner to search for machines not patched for MS04-011

NAI has released SuperDAT 4357 and later to detect and remove variants of W32/Sasser, w32/Sasser.b, W32/Sasser.c, and W32/Sasser.d.

Symantec released virus definitions 5/3/2004 rev. 22 and later to detect and remove W32/Sasser, W32/Sasser.b, W32/Sasser.c and W32/Sasser.d. Definitions are available through the LiveUpdate feature of Symantec Antivirus.

Additional information is at:

http://www.microsoft.com/security/incident/sasser.mspx from Microsoft
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html from Symantec
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html W32/Sasser.b from Symantec
http://vil.nai.com/vil/content/v_125007.htm from Network Associates
http://vil.nai.com/vil/content/v_125008.htm W32/Sasser.b from Network Associates

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.