Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Sasser worm

On April 30, 2004 Sasser worm infected more than 1 million computers worldwide. One of the main reasons why Sasser caused problems was because it propagated over the network by exploiting a recently discovered vulnerability in the Local Security Authority Subsystem Service (LSASS) described in Microsoft Security Bulletin MS04-011. It spreads by scanning the randomly selected IP addresses for vulnerable systems.

When an infected machine would attempt to connect to a randomly generated Internet Protocol address through an unprotected port, it would copy code to the target machine. (see www.f-secure.com/v-descs/sasser.shtml)

It creates a mutex named Jobaka3l to ensures that no more than one instance of the worm can run on the computer at any time.

Copies itself as %Windir%\avserve.exe. Adds the value "avserve.exe"="%Windir%\avserve.exe" to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

It uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

See W32.Sasser.Worm - Symantec.com

Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts. Retrieves the IP addresses of the infected computer, using the Windows API, gethostbyname. Generates another IP address, based on one of the IP addresses retrieved from the infected computer (This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable). Connects to the generated IP address on TCP port 445 to determine if a remote computer is online. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996. Creates a ftp script file cmd.ftp on the attacked computer. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm.

Sven Jaschan was 17 years old when he was arrested by German authorities in May 2004 for creating and distributing two of the most damaging e-mail worms in Internet history.

He was charged in September 2004 and pled guilty to data manipulation, computer sabotage, and interfering with public corporations. The sentence was handed down following a four-day trial in Verden, Germany.

The teen escaped a jail sentence "by the skin of his teeth" because he was arrested shortly before his 18th birthday, avoiding trial as an adult. In addition to probation, Jaschan is required to complete 30 hours of community service.

Microsoft said it is awarding $250,000 to two individuals who helped identify Jaschan as part of the company's anti-virus reward program. The program was established in November 2003 by Microsoft, the FBI, Interpol and the U.S. Secret Service to provide an incentive to get people to identify cyber-wrongdoers.

Nancy Anderson, Microsoft vice president and deputy general counsel, said the company is pleased about the Friday announcement and that the Sasser writer is being held accountable for his actions.

"It has been important and gratifying to collaborate with and support law enforcement in this case, and we're glad to provide a monetary reward to those individuals who provided credible information that helped the German police authorities solve this case," she said in a statement.

Last modified: February 28, 2008