NEWS FROM THE LAB - Saturday, May 1, 2004

More info on Sasser Posted by Mikko @ 07:29 GMT

We now detect this worm with our latest updates (2004-05-01_01).

The vulnerability used by Sasser is caused by a buffer overrun in the Windows' Local Security Authority Subsystem Service, and will affect all machines that are:

- Running Windows XP or Windows 2000
- Haven't been patched against this vulnerability
- Are connected to the internet without a firewall

It scans random IP addresses, targeting TCP port 445.

After infection it opens a shell that listens on TCP port 9996.

And then downloads the actual worm code through a FTP connection at TCP port 5554.