Nombre: Win32.Worm.Sasser.{A-C}
Alias: WORM_SASSER, Win32.HLLW.Jobaka
Tipo:
Tamaño: 15 KB
Descubierto: 01.05.2004
Detectado: 01.05.2004
Propagación: Media
Peligrosidad: Media
In The Wild:

Síntomas:

Presence of the files: (%WINDIR% is the Windows directory)
%WINDIR%\avserve.exe -- Win32.Worm.Sasser.A
%WINDIR%\avserve2.exe -- Win32.Worm.Sasser.B,C

Presence of the registry keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with the value:
"avserve.exe" = "%WINDIR%\avserve.exe" -- Win32.Worm.Sasser.A
"avserve2.exe" = "%WINDIR%\avserve2.exe" -- Win32.Worm.Sasser.B,C

Descripción técnica:
The worm installs by exploiting the LSASS vulnerability described in the Microsoft Security Bulletin MS04-011.

It scans pseudo-random IPs on 445 sending the exploit that causes a remote shell to be spawned on port 9996.

Then it opens a FTP server on the remote computer that listens on port 5554, sends and executes itself on the remote machine.

Once executed, the worm drops a file in the Windows directory (%WINDIR%):

%WINDIR%\avserve.exe -- Win32.Worm.Sasser.A
%WINDIR%\avserve2.exe -- Win32.Worm.Sasser.B,C

and creates the registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
with the value:

"avserve.exe" = "%WINDIR%\avserve.exe" -- Win32.Worm.Sasser.A
"avserve2.exe" = "%WINDIR%\avserve2.exe" -- Win32.Worm.Sasser.B,C

Desinfección:
First you must install the security patch for the exploited vulnerability.
Go to Microsoft's Security Information page for MS04-011:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Download and install the update for your Windows version and reboot.

After the update is installed, let BitDefender delete all files found infected with this worm.