Sasser.B is a worm that spreads itselfs through vulnerable systems affected by the LSASS exploit (MS04-011).
Sasser.B creates a copy of itself in the windows directory named AVSERVE2.EXE.
It also creates the following registry entry to ensure it is launched when the system is booted:
avserve2exe = %windir%\avserve2exe
Sasser.B exploits the LSASS vulnerability to access the remote systems. More information about this exploit is available in the following URL:
The worm uses 128 threads to scan random IP addresses. If the conection through port TCP 445 succeeds, the worm will check if the system is vulnerable. If it is, Sasser will open a shell through port TCP 9996 and will force an FTP conetion through port TCP 5554 to download the worm to the vulnerable system. The copy of the worm downloaded will be named %number%_up.exe, where %number% is a random number. On the other hand, the vulnerability will use a buffer overflow to make the LSASS.EXE application crash. This might lead to a system crash.
Click here to access the Online Support Center where you can find all the information to eliminate and protect your system from the worm.>