The Sasser worm takes advantage of a recently reported Windows vulnerability.

Updated: 6 May 2004

Since the appearance of W32/Sasser.A, three new variants have been discovered: W32/Sasser.B, W32/Sasser.C and W32/Sasser.D. These variants all behave in a similar way to W32/Sasser.A and are detected by F-Prot Antivirus using virus signature files dated 3 May 2004 and later.

1 May 2004

W32/Sasser.A started spreading early in the morning of Saturday 1 May 2004 and was quickly detected by FRISK Software virus analysts. This worm has gained wide distribution in a short period of time and has, as a result, been classified as high risk by FRISK Software's virus experts.

Threat Description

W32/Sasser.A is a self-executing worm that spreads by taking advantage of a LSASS vulnerability in Windows that was first reported on 13 April 2004 in Microsoft Security Bulletin MS04-011. The worm infects systems running Windows XP and Windows 2000.

The worm does not spread via e-mail and needs no user action in order to propogate. Instead, it spreads directly from one networked computer to another by taking advantage of the aforementioned vulnerability and instructing unpatched systems to download and execute the worm's code. This technique, combined with the fact that many users have yet to update their systems, has allowed the worm to spread considerably in a relatively short period of time.

Recommended Reactions

Windows users are urged to update their operating systems immediately with the latest patches available from Microsoft.

Users should also update their virus signature files immediately and make sure they have the latest versions of F-Prot Antivirus installed on their computers.

After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.

Threat Detection

The latest versions of F-Prot Antivirus detect W32/Sasser.A using virus signature files dated 1 May 2004 or later.

More information

From FRISK Software: From Microsoft:
Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

1993-2013 © CYREN