W32.Sasser.C.Worm

W32.Sasser.C.Worm is a minor variant of W32.Sasser..Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011 and spreads by scanning randomly selected IP addresses for vulnerable systems.

W32.Sasser.C.Worm differs from W32.Sasser.Worm as follows:

• Uses a different mutex: JumpallsNlsTillt
• Launches 1024 threads (instead of 128).
• Uses a different file name: avserve2.exe.
• Has a different MD5.
• Creates a different value in the registry: "avserve2.exe."

---

Notes:

• Definitions dated May 2, 2004, version 5/02/04 rev 38 (20040502.038) or greater, are required to detect this particular variant.
• The MD5 hash value of this worm is 0X831F4EE0A7D2D1113C80033F8D6AC372.
• Block TCP ports 5554, 9996, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.

---

W32.Sasser.C.Worm can run on (but not infect) Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable systems that they are able to connect to. In this case, the worm will waste a lot of resources so that programs cannot run properly, including our removal tool. (On Windows 95/98/Me computers, the tool should be run in Safe mode.)

Protection

• Initial Rapid Release version May 2, 2004
• Latest Rapid Release version March 5, 2008 revision 053
• Initial Daily Certified version May 2, 2004
• Latest Daily Certified version March 5, 2008 revision 054
• Initial Weekly Certified release date May 2, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: 50 - 999
• Number of Sites: More than 10
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low

Distribution

• Distribution Level: High