F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Sasser.C

[Summary] | [Disinfection] | [Detection]

THIS VIRUS IS RANKED AS LEVEL 2 ALERT UNDER
F-SECURE RADAR.

Radar Alert LEVEL 2

NAME:Sasser.C
ALIAS:Worm.Win32.Sasser.c, W32/Sasser.C
SIZE:15872

Summary

Sasser.C is an Internet worm spreading through the MS04-011 (LSASS) vulnerability.

Sasser.C is a variant of Sasser.B, with identical length. Main difference is that this version starts 1024 processes to scan for new vulnerable hosts, instead of 128 processes.

For more details, see description of Sasser.B:

http://www.f-secure.com/v-descs/sasser_b.shtml

Disinfection

F-Secure has developed a special disinfection tool which can find and remove all known Sasser variants.

The tool is available from the following locations:

ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt

or through HTTP:

http://www.f-secure.com/tools/f-sasser.zip
http://www.f-secure.com/tools/f-sasser.exe
http://www.f-secure.com/tools/f-sasser.txt

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.

Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot.

For step-by-step instructions, see Microsoft's site:
http://www.microsoft.com/security/incident/sasser.asp#steps


Back to the Top


Detection

Detection in F-Secure Anti-Virus was published on May 1st, 2004 in update:

[FSAV_Database_Version]

Version=2004-05-01_02

Back to the Top


Write-up: Mikko Hypponen, May 3rd, 2004

F-Secure Corporation, May 2nd, 2004