Sasser is an Internet worm spreading through the MS04-011 (LSASS) vulnerability. This vulnerability is caused by a buffer overrun in the Local Security Authority Subsystem Service, and will affect all machines that are:
* Running Windows XP or Windows 2000
* Haven't been patched against this vulnerability
* Are connected to the Internet without a firewall
W32.Sasser is a worm that attempts to send code that exploits the MS04-011 vulnerability. This worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE. It creates a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This FTP script instructs the target victim to download and execute the worm (with the filename #_up.exe as aforementioned) from the infected host. The infected host is accepts this FTP traffic on TCP port 5554. The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445
One sign of infection is this message:
Infected systems should install the Microsoft update to be protected from the exploit used by this worm:
F-Secure's weblog compares Sasser and the original Blaster outbreak:
You would expect a new automatic network worm like Sasser to hit even harder than it seems to be hitting right now. Of course, it's weekend time, but most infected machines would be home computers, many of which are turned on and online always.
Sasser could be compared to the Blaster/Lovsan outbreak in last August in many ways. Both are automatic network worms affecting Windows 2000 and XP users, scanning random IP addresses and using FTP (or TFTP) to transfer the actual worm file to infected host. Also, both worms cause unpatched machines to start to reboot.
Blaster was a massive case, partly because the patch was only available for 32 days before the outbreak started - and that was during best holiday season. With Sasser, the time difference between the patch and the worm was just 18 days.
But the bottom line is that although Sasser starts several threads which constantly scan random addresses with minimal time delay, we aren't seeing massive amounts of infections. Not yet anyway.