W32.Sasser.Worm

W32.Sasser.Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning the randomly selected IP addresses for vulnerable systems.

---

Notes:

• Rapid Release virus definitions, version 30/04/04 rev 70 (20040430.070) and greater, detect this threat.
• This worm has an MD5 hash value of 0xA73C16CCD0B9C4F20BC7842EDD90FC20.

---

W32.Sasser.Worm can run on (but not infect) Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly run, including our removal tool. (On Windows 95/98/Me computers, run the tool in Safe mode.)

Security Response has provided some information to aid network administrators in ongoing efforts to track down W32.Sasser.Worm infected machines on their respective network. Please see the document, "Detecting traffic due to LSASS worms" for additional information.

Protection

• Initial Rapid Release version May 1, 2004
• Latest Rapid Release version July 19, 2008 revision 019
• Initial Daily Certified version May 1, 2004
• Latest Daily Certified version January 20, 2009 revision 048
• Initial Weekly Certified release date May 1, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 50 - 999
• Number of Sites: More than 10
• Geographical Distribution: High
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low

Distribution

• Distribution Level: Medium