F-Secure Virus Descriptions : Sasser.B

Summary

Sasser.B is an Internet worm spreading through the MS04-011 (LSASS) vulnerability.

This one is a minor variant of Sasser.A, with identical length and functionality. The binary image looks different because of the following differences:

- the dropped filename changed from AVSERVE.EXE to AVSERVE2.EXE
- the logfile is now called WIN2.LOG
- the scanning routine starts 128 processes instead of 128 threads

For more details, see description of Sasser.A:

http://www.f-secure.com/v-descs/sasser.shtml

Disinfection

F-Secure has developed a special disinfection tool which can find and remove all known Sasser variants.

The tool is available from the following locations:

ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt

or through HTTP:

http://www.f-secure.com/tools/f-sasser.zip
http://www.f-secure.com/tools/f-sasser.exe
http://www.f-secure.com/tools/f-sasser.txt

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.

Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot.

For step-by-step instructions, see Microsoft's site:
http://www.microsoft.com/security/incident/sasser.asp#steps

Back to the Top

Detection

Detection in F-Secure Anti-Virus was published on May 1st, 2004 in update:

[FSAV_Database_Version]

Version=2004-05-01_02

Back to the Top

Write-up: Mikko Hypponen, May 2nd, 2004

F-Secure Corporation, May 2nd, 2004