Intrusion Prevention

Worm.W32.Sasser

Description

This indicates an attempt by the Sasser worm to download worm binaries from a remote FTP shell.
Sasser is a worm that installs itself on a victim machine under the System directory as avserve.exe, avserve2.exe or skynetave.exe, depending on the variant. It creates a mutex named Jobaka31 to maintain one copy in memory, spawns a FTP server on port 5554 to distribute worm executables and spawns a number of threads to scan for and exploit vulnerable systems. The number of threads spawned varies with the variant of the worm. The worm scans random IP addresses. Upon successfully exploiting a vulnerable system, it opens a shell on the target system on port 9995 or 9996 and sends a command to instruct the system to send the worm binaries via FTP from the infected system at port 5554 (where the mini FTP server is running).
There are several variants of the Sasser worm, such as Sasser.A, Sasser.B, Sasser.C and Sasser.D. Differences among these variants are the mechanism of exploiting vulnerable systems, number of scanning threads, and mechanism of scanning.

Affected Products

Any unprotected Windows 2000, 2003 or XP is vulnerable to the attack.

Impact

The self-spreading activity of the worm may affect the victim system performance significantly.
In addition, the worm can crash LSASS.EXE and even crash the system.

Recommended Actions

Remove the Sasser worm from the infected machine. Microsoft has released a tool to remove this worm:
http://support.microsoft.com/kb/841720
Apply the appropriate patches from Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS04-011.mspx

CVE References

CVE-2003-0533