Aliases: BAT/Ftp.AV, BAT_SASSER.A, FTP/Download.I, Trojan-Downloader.BAT.Ftp.r, Trojan.FTPGet.A
Variants: W32/Sasser-A, W32/Sasser.worm!ftp, Win32/Sasser!FTP, Worm:Win32/Sasser.gen!FTP

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 10 May 2004
Damage: High

Characteristics: W32.Sasser.Worm is a worm that attempts to exploit the LSASS vulnerability described in Micrososft Security Bulletin MS04-11. It propagates by scanning randomly selected Internet Protocol addresses for vulnerable systems. This worm affects Windows Operating System platforms such as Windows 2000 and Windows XP.

More details about W32.Sasser.Worm

When W32.Sasser.F.Worm runs, it attempts to create a mutex named billgate and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time. This worm actually copies itself to an executable file in the windows installation folder and adds value to the registry. The worm is claimed to utilze the API to stop the attempts to restart or shut down the computer. It could start an FTP server on 5554 TCP port. When a connection is made to a remote computer, the worm sends shell code to it, this can cause it to open a remote shell on 9996 TCP port. The worm utilizes the shell on the remote computer to re-connect to the FTP server of the infected computer that runs on 5554 TCP port and to retrieve a copy of the worm. This copy consists four or five digits on its name, followed by _up.exe. Then, the Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.

Users may willingly download and install the program without knowing it is malicious. They may receive it as a file attachment. It can be stored in a link embedded in a message. The program may be labeled as movies or installers on peer-to-peer (P2P) file sharing networks. Its source code may be embedded as a component in a web page. Viewing this with an unsecure web browser will execute the malware program. The W32.Sasser.F.Worm program can also be added to the system by other malware applications. It may also be bundled with other unwanted files such as spying and advertising software.