You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Sasser.B
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Sasser.B restarts Windows XP/2000 computers when it attempts to affect them by exploiting the LSASS vulnerability. When this action is carried out, Sasser.B displays the following message on screen:

Infection strategy

Sasser.B creates the following files:

AVSERVE2.EXE in the Windows directory. This file is a copy of the worm.
WIN2.LOG in the root directory in the drive C:. This file contains the IP address of the affected computer.

Sasser.B creates the following entry in the Windows Registry:

HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
avserve2.exe = %windir%\ avserve2.exe
where %windir% is the Windows directory.
By creating this entry, Sasser.B ensures it is run whenever Windows is started.

Means of transmission

Sasser.B spreads via the Internet, by attacking remote computers. In order to do so, it carries out the routine below:

Sasser.B launches 128 simultaneous threads, with which it creates random IP addresses.
It attempts to connect to those IP addresses through the TCP port 445.
If successful, it checks if the LSASS vulnerability can be exploited in the remote computer. This vulnerability is critical for Windows XP/2000 operating systems that are not properly updated.
If so, Sasser.B opens a shell in the TCP port 9996, through which the worm creates and runs the script CMD.FTP. Sasser.B downloads itself through the TCP port 5554 to the vulnerable computer via FTP.
This script is detected by Panda Software as Sasser.ftp.
The downloaded copy has a variable name %number%_UP.EXE, where %number% is a random number.

When Sasser.B exploits the LSASS vulnerability, it launches a Buffer Overrun in the program LSASS.EXE, thus restarting the computer.

Sasser.B only spreads automatically to Windows XP/2000 computers. However, computers with other Windows operating systems can also be a source of transmission when a malicious user runs the file containing the worm in any of these computers.

Further Details

Sasser.B is written in programming language Visual C++. This worm is 15,872 bytes in size.

Resources for Partners