Summary

Sasser.G is a minor modification of the Sasser.F worm. It shares most of its code and functionality, although it uses a different filename when copying itself into the system and a different mutex name.

Additional Details

System Infection

When the worm enters the system it creates a copy of itself in the Windows Directory as 'avserve3.exe'. This copy is added to the Registry as

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "avserve3.exe" = "%WinDir%\avserve3.exe"

It creates mutexes named 'PinaasoSky' and 'Jobaka3'.

Detection

Detection in F-Secure Anti-Virus was published on May 14th, 2004 in update:

[FSAV_Database_Version]
Version=2004-05-14_01

Technical Details: Ero Carrera, August 23rd, 2004