Symantec.com > Security Response > W32.Sasser.D

W32.Sasser.D

Risk Level 2: Low

Download Removal Tool | Printer Friendly Page

Discovered: May 3, 2004

Updated: February 13, 2007 12:22:29 PM

Also Known As: W32/Sasser-D [Sophos], WORM_SASSER.D [Trend], W32/Sasser.worm.d [McAfee], Win32.Sasser.D [Computer Assoc, Worm.Win32.Sasser.d [Kaspersky

Type: Worm

Systems Affected: Windows 2000, Windows XP

CVE References: CAN-2003-0533

The W32.Sasser.D worm:

Is a variant of W32.Sasser.Worm.
Attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011.
Spreads by scanning randomly selected IP addresses for vulnerable systems.

W32.Sasser.D differs from W32.Sasser.Worm as follows:

Uses a different mutex: SkynetSasserVersionWithPingFast.
Uses a different file name: skynetave.exe.
Has a different file size: 16,384 bytes.
Has a different MD5.
Creates a different value in the registry: "skynetave.exe."
Uses a different port for the remote shell: 9995/tcp.
Will exit before running any code with an error on some Windows 2000 systems.
Has an updated routine for finding vulnerable computers. W32.Sasser.D sends an ICMP echo request before attempting to make a connection. This change may prevent the worm from properly executing on Windows 2000 systems.

W32.Sasser.D can only execute on Windows XP systems. The worm can exploit a vulnerable (unpatched) Windows 2000 machine remotely and copy itself to that machine. However, it will exit before running any code. In such cases, this worm will produce the following error:

The procedure entry point IcmpSendEcho could not be located in the dynamic link library iphlpapi.dll.

Notes:

The MD5 hash value of this worm is 0X03F912899B3D90F9915D72FC9ABB91BE.
Block TCP ports 5554, 9995, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.
This threat is written in C++ and is packed with PECompact.