Summary

Sasser.F is a minor modification of the Sasser.A worm. It shares all of its code and functionality, although it uses a different filename when copying itself into the system and a different mutex name.

Disinfection

F-Secure has developed a special disinfection tool which can find and remove all the known Sasser variants.

The tool is available from the following locations:

ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt

or through HTTP:

http://www.f-secure.com/tools/f-sasser.zip
http://www.f-secure.com/tools/f-sasser.exe
http://www.f-secure.com/tools/f-sasser.txt

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.

Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the 'napatch.exe' process, then delete the file 'napatch.exe' from your Windows directory and reboot.

For step-by-step instructions, see Microsoft's site: http://www.microsoft.com/security/incident/sasser.asp#steps

Additional Details

Sasser.F is an unpacked, edited and repacked version of Sasser.A.

For full details, please refer to the Sasser.A description:

http://www.f-secure.com/v-descs/sasser.shtml

System Infection

When the worm enters the system it creates a copy of itself in the Windows Directory as 'napatch.exe'. This copy is added to the Registry as

 [SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "napatch.exe" = "%WinDir%\napatch.exe"

To ensure that only one copy of the worm is running it creates a mutex named 'billgate'.

Detection

Detection in F-Secure Anti-Virus was published on May 11th, 2004 in update:

[FSAV_Database_Version]
Version=2004-05-11_01



Technical Details: Gergely Erdelyi & Ero Carrera, May 11th, 2004