[virusinfo] Sophos Anti-Virus IDE alert: W32/Sasser-A

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Sat, 01 May 2004 07:38:59 -0700

From; Sophos Alert System:

Name: W32/Sasser-A
Aliases: W32/Sasser.worm
Type: Win32 worm
Date: 1 May 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any 
of the Sophos small business solutions will be automatically
protected at their next scheduled update.


Information about W32/Sasser-A can be found at:
http://www.sophos.com/virusinfo/analyses/w32sassera.html
Description 
W32/Sasser-A is a network worm that spreads by exploiting the Microsoft
LSASS vulnerability. Microsoft has issued a patch to secure against this
vulnerability which can be downloaded from Microsoft Security Bulletin
MS04-011. 
The worm copies itself to the Windows folder with the filename avserve.exe
and sets the following registry key to auto-start on user logon: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe 

W32/Sasser-A attempts to connect out on port TCP/9996 and TCP/445 and
exploit the LSASS vulnerability. An FTP script is then downloaded and
executed which connects back on port 5554 to download a copy of the worm via
FTP. 
 
 
Recovery 
Please follow the instructions for removing worms. 

Download the IDE file from:
http://www.sophos.com/downloads/ide/sasser-a.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Sasser-A
• » [virusinfo] : Sophos Anti-Virus IDE alert: W32/Sasser-A

1. Home
2. virusinfo
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---