From; Sophos Alert System: Name: W32/Sasser-A Aliases: W32/Sasser.worm Type: Win32 worm Date: 1 May 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Sasser-A can be found at: http://www.sophos.com/virusinfo/analyses/w32sassera.html Description W32/Sasser-A is a network worm that spreads by exploiting the Microsoft LSASS vulnerability. Microsoft has issued a patch to secure against this vulnerability which can be downloaded from Microsoft Security Bulletin MS04-011. The worm copies itself to the Windows folder with the filename avserve.exe and sets the following registry key to auto-start on user logon: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe W32/Sasser-A attempts to connect out on port TCP/9996 and TCP/445 and exploit the LSASS vulnerability. An FTP script is then downloaded and executed which connects back on port 5554 to download a copy of the worm via FTP. Recovery Please follow the instructions for removing worms. Download the IDE file from: http://www.sophos.com/downloads/ide/sasser-a.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member