[virusinfo] : Sophos Anti-Virus IDE alert: W32/Sasser-A

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 12 May 2004 09:04:31 -0700

*********** REPLY SEPARATOR  ***********

On 12/05/2004 at 10:44 AM Sophos Alert System wrote:

Name: W32/Sasser-A
Aliases: W32/Sasser.worm, Win32/Sasser.A, W32.Sasser.Worm, WORM_SASSER.A
Type: Win32 worm
Date: 12 May 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any of the
Sophos small business solutions will be automatically protected
at their next scheduled update.


Sophos has received several reports of this worm from the wild.


Note: Sophos has been detecting W32/Sasser-A since 06:30 GMT on
01 May 2004 and has issued this updated IDE to improve
detection.

Information about W32/Sasser-A can be found at:
http://www.sophos.com/virusinfo/analyses/w32sassera.html
Description 
W32/Sasser-A worm is a self-executing network worm, which travels from
infected machines via the internet, exploiting a Microsoft Windows
vulnerability MS04-011, and instructs vulnerable systems to download and
execute the viral code. 
It does not spread via email. 

Infected computers may run more slowly than normal and shut down
intermittently. 

W32/Sasser-A attempts to connect to computers through ports TCP/9996 and
TCP/445. If the Windows computers are not patched against the LSASS
vulnerability, an FTP script is downloaded and executed, which connects to
port 5554 and downloads a copy of the worm via FTP (File Transfer Protocol).


The worm copies itself to the Windows folder with the filename avserve.exe
and sets the following registry key to auto-start on user logon: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe 

The Microsoft vulnerability was first reported on 13 April, and Microsoft
have issued protection, which can be downloaded from Microsoft Security
Bulletin MS04-011. 

Further reading: Information on the Sasser internet worm 
 
 
Recovery 
Please follow the instructions for removing W32/Sasser-A 

Download the IDE file from:
http://www.sophos.com/downloads/ide/sasser-a.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Sasser-A
• » [virusinfo] : Sophos Anti-Virus IDE alert: W32/Sasser-A

1. Home
2. virusinfo
3. Archive
4. 05-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---