ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security management Toolkit

Sasser.a and Sasser.b: Prevention and cure

Robert Vamosi CNET News.com

Published: 05 May 2004 12:00 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Sasser and its variations are network-aware worms that do not require email or user interaction to spread. The worms use a bootstrap effect by infecting new machines first, then downloading the full code from a previously infected machine.

Sasser (w32.sasser.a) and Sasser.b (w32.sasser.b) are both 15,872 bytes long, and they randomly scan local networks and the Internet to look for additional systems to infect. This scanning could slow normal traffic on the Internet.

Vulnerable systems include Windows 2000 and Windows XP installations that have not had the Microsoft Security Bulletin patch MS04-011 installed and that are not running desktop firewall software. Sasser does not affect any other version of Windows, nor Linux, Unix, Mac OS, or any other operating system.

Because Sasser and its variations spread via the Internet and allow remote users to access your PC, this worm rates a 7 on the CNET/ZDNet Virus Meter.

How it works
Sasser takes advantage of a buffer-overrun flaw in the Local Security Authority Subsystem (LSASS), which allows an attacker to gain control of infected systems. Microsoft patched the flaw with MS04-011 on 13 April.

Sasser adds a copy of itself to the Windows directory under the name:
Sasser.a: AVSERVE.EXE
Sasser.b: AVSERVE2.EXE

It adds the following to the system Registry file:
Sasser.a: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve.exe = c:\Windows\avserve.exe
Sasser.b: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve2.exe = c:\Windows\avserve2.exe

This change to the Registry allows the worm to run once the machine reboots.

Next

Previous

1 2


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
145 out of 265 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security management


Company/Topic Alerts

Create a new alert from the list below:



Related Jobs

Security Engineer

Desktop and Server Support - Worcester

Snr Network Engineer - Leicester - Permanent

Sentry Posts Blog

Toshiba developing quantum repeater

Toshiba is developing a device it hopes will allow for global quantum key distribution. The company is developing a quantum repeater, a device to regenerate a quantum key once quantum... More

Post a comment

Nasa hacker loses last-ditch appeal

Self-confessed Nasa hacker Gary McKinnon has lost his appeal to Home Secretary Jacqui Smith against extradition to the US. In an email sent to ZDNet.co.uk on Monday, McKinnon's... More

3 comments

Up to 1.7m MoD personal details missin...

The potential number of people affected by the the loss of a hard disk containing MoD details could be a high as 1.7 million, defence minister Bob Ainsworth told parliament on Monday. In... More

1 comment

Featured Talkback

In association with Intel
It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.

By: RonaldWilkins

Read full story:
Deloitte: People are still weakest security link

DOWNLOAD

Security Essentials

Security Downloads

There are masses of security suites out there for small businesses. Here's a selection to get you started

Editor’s Rating
1 Norton 360™
2 AVG Anti-Virus Free Edition Rating: 10
3 PC Tools AntiVirus Free Edition
4 Kaspersky Internet Security

See All Software

In association with Symantec