F-Secure Virus Descriptions : Sasser.C

Summary

Sasser.C is an Internet worm spreading through the MS04-011 (LSASS) vulnerability.

Sasser.C is a variant of Sasser.B, with identical length. Main difference is that this version starts 1024 processes to scan for new vulnerable hosts, instead of 128 processes.

For more details, see description of Sasser.B:

http://www.f-secure.com/v-descs/sasser_b.shtml

Disinfection

F-Secure has developed a special disinfection tool which can find and remove all known Sasser variants.

The tool is available from the following locations:

ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt

or through HTTP:

http://www.f-secure.com/tools/f-sasser.zip
http://www.f-secure.com/tools/f-sasser.exe
http://www.f-secure.com/tools/f-sasser.txt

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.

Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot.

For step-by-step instructions, see Microsoft's site:
http://www.microsoft.com/security/incident/sasser.asp#steps

Back to the Top

Detection

Detection in F-Secure Anti-Virus was published on May 1st, 2004 in update:

[FSAV_Database_Version]

Version=2004-05-01_02

Back to the Top

Write-up: Mikko Hypponen, May 3rd, 2004

F-Secure Corporation, May 2nd, 2004