Sasser worm update

You can also help us by logging-in or creating an account! This page has multiple issues. These issues most likely include issues with references and manual of style violations. Please help Malware Wiki by correcting these issues. Sasser is an internet worm that caused billions of dollars of damage in It was created by a computer science student in Germany who was also behind Netsky. While there was no intentionally destructive payload , Sasser did cause many computers to slow down or crash, causing some high profile damage.

When a vulnerable system is found, the worm sends shell code to the target computer that attempts to exploit the lsass. The lsass. A remote shell opens on Port It creates and executes a script file on the target named cmd. The worm will be saved to the System folder. Upon execution, Sasser attempts to create a mutex named Jobaka3l, which it uses to check if there is a Sasser worm already running on the system.

It stops further infection if it finds one. Sasser copies itself to the Windows folder as avserve. It adds the value "avserve. Sasser creates an FTP server on Port , which it will use to spread itself.

Ir creates a file at the root of the C: drive named win. The worm makes a connection to a generated IP address on Port in order to determine if there is a computer at that address. When it finds one, it sends shellcode to that computer that exploits the lsass. Damage Examples of the damage caused by Sasser include: News agency Agence France-Presse AFP had all of its satellite communications blocked for hours; Delta Air Lines had to cancel several trans-atlantic flights because its computer systems had been swamped by the worm; Nordic insurance company If and its Finnish owners Sampo Bank came to a complete halt and had to close their offices in Finland; The X-ray department at Lund University Hospital had all of its four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital; The University of Missouri was forced to "unplug" its network from the wider Internet in response to the worm; The British Coastguard had its electronic mapping service disabled for a few hours; Goldman Sachs, Deutsche Post, and the European Commission also all had issues with the worm.

He further revealed that not only Sasser, but also Netsky. AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser. E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.

Jaschan was tried as a minor because the German courts determined that he was 17 when he created the worm, which was actually released on his 18th birthday April 29, Jaschan was found guilty of computer sabotage and illegally altering data.

On July 8, , he was handed a 21 month suspended sentence. This aborts the system shutdown so the user can continue to use the computer. Hinojosa called the changes to Sasser-F "childlike. The apparent release of the Sasser source code complicates the picture of who's responsible for Sasser.

Once source code is available for a worm, it "lowers the bar" of technical knowledge needed to create a variant or a new worm, said Gerhard Eschelbeck, chief technology officer at Qualys Inc. Only an investigation of Jaschan's computer will confirm what role he had in the creation of the Sasser worm and its variants and whether he worked with others to create and distribute the worms, Hinojosa said.

Here are the latest Insider stories. More Insider Sign Out. Sign In Register. The worm starts scanning threads that try to find vulnerable systems on random IP addresses.

When attacking the worm first determines the version of the remote operating system then uses the appropriate parameters to attack the host. If the attack is successful a shell is started on port Through the shell port Sasser instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port on all infected computers with the purpose of serving out the worm for other hosts that are being infected.

Javascript is disabled in your web browser For full functionality of this site it is necessary to enable JavaScript. Classification Category :. Type :. Aliases :. Suspect a file is incorrectly detected a False Positive?