Global Sites
F-Secure.fi
F-Secure Italian site
F-Secure UK site
F-Secure.com
Slovenia
France
Germany
Italy
Japan
Sweden
F-Secure Virus Descriptions : Sasser.D
[Summary ] | [Disinfection ] | [Detection ]
Sasser.D is an Internet worm spreading through the MS04-011
(LSASS) vulnerability.
Sasser.D is a variant of Sasser.C. This version starts
128 processes to scan for new vulnerable hosts and sends
ICMP ECHO requests before attacking.
For more details, see description of Sasser.B:
http://www.f-secure.com/v-descs/sasser_b.shtml
F-Secure has developed a special disinfection tool which can
find and remove all the known Sasser variants.
The tool is available from the following locations:
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt
or through HTTP:
http://www.f-secure.com/tools/f-sasser.zip
http://www.f-secure.com/tools/f-sasser.exe
http://www.f-secure.com/tools/f-sasser.txt
Before using the tool please read the disinfection instructions
from 'f-sasser.txt'.
Manual Disinfection
To manually disinfect an infected system, first apply the Microsoft
patch MS04-011, then use Task Manager to kill the "skynetave.exe" process,
then delete the file 'skynetave.exe' from your Windows directory and reboot.
For step-by-step instructions, see Microsoft's site:
http://www.microsoft.com/security/incident/sasser.asp#steps
Detection in F-Secure Anti-Virus was published on May 3rd, 2004 in
update:
[FSAV_Database_Version]
Version=2004-05-03_03
Write-up:
Ero Carrera, May 4th, 2004
F-Secure Corporation, May 4th, 2004
