1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Does anyone know anything about this new virus?

Discussion in 'Virus & Other Malware Removal' started by kageakuma, Sep 14, 2004.

Thread Status:
Not open for further replies.
  1. kageakuma

    kageakuma Thread Starter

    Jun 17, 2004
    Was wondering if anyone knew what i am up against.
    Some kind of sasser.b virus or a new variant that labels itself as sasser.b seems to be installed on some of the clients where i am at. I was wondering if anyone knows what the new variant is or for that matter a place where i can find out about it. We just got this virus yesterday and it registers as sasser.b but propigates as sasser.l and is not recognized as sasser. It shuts down the computers every 15 minutes and its labeled as a new form of adaware but its not. Im looking for suggestions anyone.
  2. MFDnNC


    Sep 7, 2004
  3. kageakuma

    kageakuma Thread Starter

    Jun 17, 2004
    I tried that already actually. I have tried various fixes our network has been down for 2 days because of this thing. I am desperate here if anyone knows anything about this can you please let me know?

    What I am thinking is happening is that the virus is spoofing its name with symantec. It is saying that its sasser.b or the source code is like it enough to spoof them so you cant report the new virus. If anyone can get more information on it please tell me anything you know.
  4. lotuseclat79


    Sep 12, 2003

    This worm exploits the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of affected systems. This vulnerability is discussed in detail in the following pages:

    * Microsoft Security Bulletin MS04-011

    Upon execution, it drops a copy of itself in the Windows folder as AVSERVE2.EXE.

    Note that its previous counterpart, WORM_SASSER.A, uses the file name AVSERVE.EXE for its copy.

    Unlike the previous variant that only creates one mutex named Jobaka3l, this SASSER variant creates the following mutex instead:

    * Jobaka3
    * JumpallsNlsTillt

    If an instance of JumpallsNlsTillt is found on a system, this malware does not proceed with its execution.

    To propagate, this worm sends a specially-crafted packet to TCP port 445 of random IP addresses. However it skips certain RFC 1918-reserved addresses. The packet causes a buffer overrun on vulnerable systems, which results in the execution of a remote shell that opens port 9996. This worm commands the remote shell to download its copy from the original infected source via port 5554 using FTP.

    This worm can cause LSASS to crash and force Windows to restart. In this case, the following message boxes may appear:

    Important: Apply the critical patch related to the Windows LSASS vulnerability, which is available at the following Microsoft page:


    Notes on Windows 2003 Server:

    * Analysis and tests done on this malware show that it can execute and create registry entries on Windows 2003 server, but it fails to exploit the LSASS service in the said operating system version.
    * Although Microsoft reports that the Windows 2003 Server is also vulnerable to the LSASS exploit, there may exist a code error within the malware exploit packet that prevents it from exploiting the LSASS vulnerability on the said platform.

    Blocking of Ports

    Users and administrators are strongly advised to block TCP ports 5554 and 9996 to prevent the transfer of the SASSER worm from infected systems to unpatched machines.


    Download the latest patches. Information on the vulnerability exploited by this malware and corresponding patch can be found at the following link:

    Microsoft Security Bulletin MS04-011:

    -- Tom
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Similar Threads - Does anyone anything
  1. jennys95
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/273901

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice