Sasser (computer worm): Difference between revisions

Latest revision as of 20:11, 23 June 2025

Template:Short description Template:More inline citations needed Template:Infobox computer virus

Sasser is a computer worm that affects computers running vulnerable versions of the Windows XP and Windows 2000 operating systems. Sasser spreads by exploiting the system through a vulnerable port and can spread without user intervention. It is stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits was documented and patched by Microsoft prior to the release of the worm.

The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS. Sasser impacted various organizations including Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-Atlantic flights.

History

The Sasser computer worm was created on April 29, 2004.^[1] The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages,^[2] prior to the release of the worm.

Behavior

The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin (CVE-2003-0533).^[3] Sasser spreads by exploiting the system through a vulnerable port. Thus, it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update.

The worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems (vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000). This buffer overflow relies on an undocumented API call to Microsoft Active Directory, which both allows for unchecked remote queries and crashes LSASS.exe if given a long string.^[4]

Once on a machine, the worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. If a vulnerable installation of Microsoft's Windows XP and Windows 2000 is found, the worm utilizes its own FTP server hosted on previously infected machines to download itself onto the newly compromised host. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A).

Side effects

An indication of the worm's infection of a given PC is the existence of the files C:\win.log, C:\win2.log or C:\WINDOWS\avserve2.exe on the PC's hard disk, the ftp.exe running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export Version) caused by faulty code used in the worm.

The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.

Mitigation

The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin (CVE-2003-0533),^[3] for which a patch had been released seventeen days earlier.^[2] It is easily stopped by a properly configured firewall or by downloading system updates from Windows Update.

Impact

The impact of Sasser included the news agency Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-Atlantic flights because its computer systems had been swamped by the worm. The Nordic insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland. The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also had issues with the worm. The X-ray department at Lund University Hospital had all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.

Some technology specialists speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.^[5]

Author

On 7 May 2004, an 19-year-old German named Sven Jaschan from Rotenburg, Lower Saxony, then student at a technical college, was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.

One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.

Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21-month suspended sentence.

Remediation

Workarounds

The shutdown sequence can be aborted by pressing start and using the Run command to enter shutdown /a. This aborts the system shutdown so the user may continue what they were doing.Template:Efn
A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to the past; the shutdown time will move as far into the future as the clock was set back.

Removal

The Sasser worm can be stopped by pressing start and using the Run command to enter shutdown /a. This will abort the shutdown caused by the termination of lsass.exe, allowing the user more time to remove the worm.

The worm may be removed by running regedit.exe and navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. There, the user must remove the avserve2.exe string. Next, the user must terminate avserve2.exe in task manager. Next, the user must navigate to C:\ and delete win2.log. Finally, the user must navigate to C:\Windows and delete avserve2.exe and reboot. After that reboot, the user's PC will no longer be infected with Sasser.

Notes

Template:Notelist

References

Template:Reflist

External links

Microsoft Security Bulletin: MS04-011
Template:CVE
Bugtraq ID 10108
Read here how you can protect your PC (Microsoft Security page) - Includes links to the info pages of major anti-virus companies.
New Windows Worm on the Loose (Slashdot article)
Report on the effects of the worm from the BBC
German admits creating Sasser (BBC News)
Sasser creator avoids jail term (BBC News)

Template:Hacking in the 2000s

↑ Script error: No such module "citation/CS1".
↑ ^a ^b Script error: No such module "citation/CS1".
↑ ^a ^b Script error: No such module "citation/CS1".
↑ Script error: No such module "citation/CS1".
↑ Script error: No such module "citation/CS1".

[1] Script error: No such module "citation/CS1".

[:0-2] Script error: No such module "citation/CS1".

[:1-3] Script error: No such module "citation/CS1".

[4] Script error: No such module "citation/CS1".

[5] Script error: No such module "citation/CS1".

[1]

[2]

[3]

[4]

[5]

@@ Line 1: / Line 1: @@
 {{Short description|A 2005 Windows [[computer worm]]}}
+{{More inline citations needed|date=June 2025}}
 {{Infobox computer virus
 | image            =
 | caption          =
 | common_name      =
 | technical_name   =
 * Win32/Sasser ([[Microsoft]])
 * Worm:Win32/Sasser.[Letter] (Microsoft)
@@ Line 19: / Line 20: @@
 * WORM_SASSER.[Letter] (Trend Micro)
 * BAT_SASSER.[Letter] (Trend Micro)
 | aliases          =
 | family           =
 | classification   =
 | type             = [[Computer worm|Worm]]
 | subtype          =
 | isolation_date   =
 | origin           =
 | infection_vector =
 | author           = [[Sven Jaschan]]
 | ports_used       =
 | OS               = [[Windows 2000]], [[Windows XP]]
 | filesize         =
 | language         =
 }}
-'''Sasser''' is a [[computer worm]] that affects computers running vulnerable versions of the [[Microsoft]] [[operating systems]] [[Windows XP]] and [[Windows 2000]]. Sasser spreads by exploiting the system through a vulnerable [[Port (computer networking)|port]].  Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured [[firewall (networking)|firewall]] or by downloading system updates from [[Windows Update]].  The specific hole Sasser exploits is documented by Microsoft in its [http://technet.microsoft.com/en-us/security/bulletin/ms04-011 MS04-011] bulletin (CVE-2003-0533), for which a patch had been released seventeen days earlier.<ref>{{Cite web |date=Nov 11, 2004 |title=Win32/Sasser |url=https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Win32/Sasser |url-status=live |archive-url=https://web.archive.org/web/20221031111650/https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Win32/Sasser |archive-date=31 October 2022 |access-date=6 Feb 2023 |website=Microsoft Security Intelligence}}</ref> The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing [[Local Security Authority Subsystem Service|LSASS]].
+'''Sasser''' is a [[computer worm]] that affects computers running vulnerable versions of the [[Windows XP]] and [[Windows 2000]] [[operating system]]s. Sasser spreads by exploiting the system through a vulnerable [[Port (computer networking)|port]] and can spread without user intervention. It is stopped by a properly configured [[firewall (computing)|firewall]] or by downloading system updates from [[Windows Update]]. The specific hole Sasser exploits was documented and patched by Microsoft prior to the release of the worm.
-==History and effects==
+The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing [[Local Security Authority Subsystem Service|LSASS]]. Sasser impacted various organizations including [[Agence France-Presse]] (AFP) having all its satellite communications blocked for hours and the [[United States|U.S.]] flight company [[Delta Air Lines]] having to cancel several trans-Atlantic flights.
-Sasser was created on April 30, 2005.<ref>{{Cite web |last=Macrae |first=Duncan |date=2014-04-11 |title=Everything you need to know about the Sasser worm |url=https://techmonitor.ai/technology/cybersecurity/everything-you-need-to-know-about-the-sasser-worm-4213147 |access-date=2023-02-06 |website=Tech Monitor |language=en-US}}</ref> This worm was named Sasser because it spreads by exploiting a [[buffer overflow]] in the component known as LSASS ([[Local Security Authority Subsystem Service]]) on the affected operating systems. According to a report by eEye Digital Security published on April 13, 2004, this buffer overflow relies on an apparently deprecated API call to Microsoft Active Directory, which both allows for unchecked remote queries and crashes LSASS.exe if given a long string.<ref>{{Cite web |date=2006-01-09 |title=Network Security, Vulnerability Assessment, Intrusion Prevention |url=http://www.eeye.com/html/Research/Advisories/AD20040413C.html |archive-url=https://web.archive.org/web/20060109033004/http://www.eeye.com/html/Research/Advisories/AD20040413C.html |url-status=dead |archive-date=2006-01-09 |access-date=2023-02-06 }}</ref> Once on a machine, the worm scans different ranges of [[IP address]]es and connects to victims' computers primarily through [[Transmission Control Protocol|TCP]] port 445. If a vulnerable installation of XP or 2000 is found, the worm utilizes its own FTP server hosted on previously infected machines to download itself onto the newly compromised host. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called ''Sasser.B'', ''Sasser.C'', and ''Sasser.D'' appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.<ref>{{Citation |title=Net-Worm.Win32.Sasser On a Physical PC Network | date=30 April 2014 |url=https://www.youtube.com/watch?v=BhtyEdhepIc |language=en |access-date=2023-02-06}}</ref>
-The effects of Sasser included the [[news agency]] [[Agence France-Presse]] (AFP) having all its satellite communications blocked for hours and the [[United States|U.S.]] flight company [[Delta Air Lines]] having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The [[Nordic countries|Nordic]] insurance company ''If'' and their Finnish owners ''Sampo Bank'' came to a complete halt and had to close their 130 offices in [[Finland]]. The [[United Kingdom|British]] [[Her Majesty's Coastguard|Coastguard]] had its electronic mapping service disabled for a few hours, and [[Goldman Sachs]], [[Deutsche Post]], and the [[European Commission]] also had issues with the worm. The [[X-ray]] department at [[Lund University Hospital]] had all their four layer [[X-ray machine]]s disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
+==History==
+The Sasser [[computer worm]] was created on April 29, 2004.<ref>{{Cite web |last=Macrae |first=Duncan |date=2014-04-11 |title=Everything you need to know about the Sasser worm |url=https://techmonitor.ai/technology/cybersecurity/everything-you-need-to-know-about-the-sasser-worm-4213147 |access-date=2023-02-06 |website=Tech Monitor |language=en-US}}</ref> The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages,<ref name=":0">{{Cite web |date=Nov 11, 2004 |title=Win32/Sasser |url=https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Win32/Sasser |url-status=live |archive-url=https://web.archive.org/web/20221031111650/https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Win32/Sasser |archive-date=31 October 2022 |access-date=6 Feb 2023 |website=Microsoft Security Intelligence}}</ref> prior to the release of the worm.
+== Behavior ==
+The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin (CVE-2003-0533).<ref name=":1">{{Cite web|url=https://learn.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011|title=Microsoft Security Bulletin MS04-011 - Critical|website=learn.microsoft.com}}</ref> Sasser spreads by exploiting the system through a vulnerable [[Port (computer networking)|port]]. Thus, it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured [[firewall (computing)|firewall]] or by downloading system updates from [[Windows Update]].
+The worm was named Sasser because it spreads by exploiting a [[buffer overflow]] in the component known as LSASS ([[Local Security Authority Subsystem Service]]) on the affected operating systems (vulnerable versions of the [[Microsoft]] [[operating system]]s [[Windows XP]] and [[Windows 2000]]). This buffer overflow relies on an undocumented API call to Microsoft [[Active Directory]], which both allows for unchecked remote queries and crashes LSASS.exe if given a long string.<ref>{{Cite web |date=2006-01-09 |title=Network Security, Vulnerability Assessment, Intrusion Prevention |url=http://www.eeye.com/html/Research/Advisories/AD20040413C.html |url-status=dead |archive-url=https://web.archive.org/web/20060109033004/http://www.eeye.com/html/Research/Advisories/AD20040413C.html |archive-date=2006-01-09 |access-date=2023-02-06}}</ref>
+Once on a machine, the worm scans different ranges of [[IP address]]es and connects to victims' computers primarily through [[Transmission Control Protocol|TCP]] port 445. If a vulnerable installation of [[Microsoft]]'s [[Windows XP]] and [[Windows 2000]] is found, the worm utilizes its own FTP server hosted on previously infected machines to download itself onto the newly compromised host. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called ''Sasser.B'', ''Sasser.C'', and ''Sasser.D'' appeared within days (with the original named Sasser.A).
+=== Side effects ===
+An indication of the worm's infection of a given [[Personal Computer|PC]] is the existence of the files <code>C:\win.log</code>, <code>C:\win2.log</code> or <code>C:\WINDOWS\avserve2.exe</code> on the PC's hard disk, the <code>ftp.exe</code> running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export Version) caused by faulty code used in the worm.
+The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.
+=== Mitigation ===
+The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin (CVE-2003-0533),<ref name=":1" /> for which a patch had been released seventeen days earlier.<ref name=":0" /> It is easily stopped by a properly configured [[firewall (computing)|firewall]] or by downloading system updates from [[Windows Update]].
+== Impact ==
+The impact of Sasser included the [[news agency]] [[Agence France-Presse]] (AFP) having all its satellite communications blocked for hours and the [[United States|U.S.]] flight company [[Delta Air Lines]] having to cancel several trans-Atlantic flights because its computer systems had been swamped by the worm. The [[Nordic countries|Nordic]] insurance company ''If'' and their Finnish owners ''Sampo Bank'' came to a complete halt and had to close their 130 offices in [[Finland]]. The [[United Kingdom|British]] [[Her Majesty's Coastguard|Coastguard]] had its electronic mapping service disabled for a few hours, and [[Goldman Sachs]], [[Deutsche Post]], and the [[European Commission]] also had issues with the worm. The [[X-ray]] department at [[Lund University Hospital]] had all their four layer [[X-ray machine]]s disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
+Some technology specialists speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.<ref>{{Citation |title=Net-Worm.Win32.Sasser On a Physical PC Network |date=30 April 2014 |url=https://www.youtube.com/watch?v=BhtyEdhepIc |access-date=2023-02-06 |language=en}}</ref>
 ==Author==
-On 8 May 2005, an 19-year-old [[Germany|German]] named [[Sven Jaschan]] from [[Rotenburg an der Wümme|Rotenburg]], [[Lower Saxony]], then student at a technical college, was arrested for writing the worm.  German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.
+On 7 May 2004, an 19-year-old [[Germany|German]] named [[Sven Jaschan]] from [[Rotenburg an der Wümme|Rotenburg]], [[Lower Saxony]], then student at a technical college, was arrested for writing the worm.  German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.
 One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the [[Netsky worm]], was his creation. Another variation of Sasser, '''Sasser.E''', was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.
@@ Line 48: / Line 69: @@
 Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18.  The worm itself had been released on his 18th birthday (29 April 2004).  Sven Jaschan was found guilty of computer sabotage and illegally altering data.  On Friday, 8 July 2005, he received a 21-month suspended sentence.
-==Side effects==
+== Remediation ==
-An indication of the worm's infection of a given [[Personal Computer|PC]] is the existence of the files <code>C:\win.log</code>, <code>C:\win2.log</code> or <code>C:\WINDOWS\avserve2.exe</code> on the PC's hard disk, the <code>ftp.exe</code> running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export Version) caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.
-==Workarounds==
+=== Workarounds ===
-The shutdown sequence can be aborted by pressing start and using the '''Run''' command  to enter <code>shutdown /a</code>. This aborts the system shutdown so the user may continue what they were doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP.
+* The shutdown sequence can be aborted by pressing start and using the '''Run''' command  to enter <code>shutdown /a</code>. This aborts the system shutdown so the user may continue what they were doing.{{Efn|The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. However it is available by default in Windows XP.}}
-A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.
+* A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to the past; the shutdown time will move as far into the future as the clock was set back.
-== Removal ==
+=== Removal ===
-The Sasser worm can be removed by pressing start and using the '''Run''' command to enter <code>shutdown /a</code>. This will abort the shutdown caused by the termination of lsass.exe, allowing the user more time to remove the worm. The worm may be removed by running <code>regedit.exe</code> and navigating to <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code>. There, the user must remove the <code>avserve2.exe</code> string. Next, the user must terminate <code>avserve2.exe</code> in task manager. Next, the user must navigate to <code>C:\</code> and delete <code>win2.log</code>. Finally, the user must navigate to <code>C:\Windows</code> and delete <code>avserve2.exe</code> and reboot. After a reboot, the user's PC will no longer be infected with Sasser.
+The Sasser worm can be stopped by pressing start and using the '''Run''' command to enter <code>shutdown /a</code>. This will abort the shutdown caused by the termination of lsass.exe, allowing the user more time to remove the worm.
+The worm may be removed by running <code>regedit.exe</code> and navigating to <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code>. There, the user must remove the <code>avserve2.exe</code> string. Next, the user must terminate <code>avserve2.exe</code> in task manager. Next, the user must navigate to <code>C:\</code> and delete <code>win2.log</code>. Finally, the user must navigate to <code>C:\Windows</code> and delete <code>avserve2.exe</code> and reboot. After that reboot, the user's PC will no longer be infected with Sasser.
 ==See also==
 * [[Blaster (computer worm)]]
 * [[Welchia|Nachia (computer worm)]]
 * [[BlueKeep (security vulnerability)]]
 * [[Timeline of notable computer viruses and worms]]
+== Notes ==
+{{Notelist}}
 ==References==

Sasser (computer worm): Difference between revisions

Latest revision as of 20:11, 23 June 2025

Contents

History

Behavior

Side effects

Mitigation

Impact

Author

Remediation

Workarounds

Removal

See also

Notes

References

External links

Navigation menu

Sasser (computer worm): Difference between revisions

Latest revision as of 20:11, 23 June 2025

History

Behavior

Side effects

Mitigation

Impact

Author

Remediation

Workarounds

Removal

See also

Notes

References

External links

Navigation menu

Search