These high numbered ports should already be blocked in the firewall rules, but companies still applying the MS04-011 patch should verify this.MS04-011 Sasser.E (new ports 1022 and 1023) http://secunia.com/virus_information/9263/sasser.e/http://vil.nai.com/vil/content/v_125091.htmhttp://www.trendmicro.com/vinfo/virusencyc...e=WORM_SASSER.Ehttp://www.symantec.com/avcenter/venc/data...ser.e.worm.htmlhttp://www.f-secure.com/v-descs/sasser_e.shtml
W32.Sasser.E.Worm is a minor variant of W32.Sasser.Worm. It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011 and spreads by scanning randomly selected IP addresses for vulnerable systems. W32.Sasser.E.Worm differs from W32.Sasser.Worm as follows:
* Uses a different mutex: SkynetNotice.
* Uses a different file name: lsasss.exe.
* Creates a different value in the registry: "lsasss.exe".
* Uses different port numbers, used by FTP server and the remote shell: 1023 and 1022.
* After 2 hours of running it displays a message.
* It deletes the values from the registry, which are known to be installed by Trojan.Mitglieder, W32.Beagle.W@mm, and W32.Beagle.X@mm.
* The name of the file retrieved from the FTP server is followed by _update.exe.
* The worm logs data into the file C:\ftplog.txt.
SIGNS OF INFECTION