F-Secure Virus Descriptions : Sasser.F

Summary

Sasser.F is a minor modification of the Sasser.A worm. It shares all of its code and functionality, although it uses a different filename when copying itself into the system and a different mutex name.

Disinfection

F-Secure has developed a special disinfection tool which can find and remove all the known Sasser variants.

The tool is available from the following locations:

ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt

or through HTTP:

http://www.f-secure.com/tools/f-sasser.zip
http://www.f-secure.com/tools/f-sasser.exe
http://www.f-secure.com/tools/f-sasser.txt

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.

Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the 'napatch.exe' process, then delete the file 'napatch.exe' from your Windows directory and reboot.

For step-by-step instructions, see Microsoft's site: http://www.microsoft.com/security/incident/sasser.asp#steps

Back to the Top

Detailed Description

Sasser.F is an unpacked, edited and repacked version of Sasser.A.

For full details, please refer to the Sasser.A description:

http://www.f-secure.com/v-descs/sasser.shtml

System Infection

When the worm enters the system it creates a copy of itself in the Windows Directory as 'napatch.exe'. This copy is added to the Registry as

 [SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "napatch.exe" = "%WinDir%\napatch.exe"