Sasser is the first self-executing worm to attack the MS04-011 vulnerability announced by Microsoft in April. McAfee AVERT has raised the risk assessment to medium for W32/Sasser.worm, also known as Sasser, due to it's prevalence in the field and it's ability to move without the support of email, which has been the primary vehicle of delivery for most of the worms seen recently. This new worm is a self-executable program that spreads by scanning random IP addresses for exploitable systems. To date, McAfee AVERT has received several reports of the worm being stopped or infecting users on several continents, with most of the reports coming from Europe.
Sasser is a self-executing worm that spreads by exploiting the Microsoft MS04-011 vulnerability. The primary purpose of the worm seems to be to spread to as many vulnerable machines as possible by exploiting un-patched Windows systems, giving it the ability to execute without requiring any action on the part of the user. Once activated the worm copies itself to a folder in the Windows System directory and adds a registry run key to load at system start-up.
After being executed, Sasser scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system by creating a script and executing it. This script instructs the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554.
Immediate information and cure for the Sasser worm can be found online at the Network Associates McAfee AVERT site. McAfee AVERT is advising its customers to update to the 4355 DATs to stay protected.
McAfee creates computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats.