|
 |
|
Sasser.a
|
|
|
First Report:
|
2004-05-01 05:39
|
|
Last Update:
|
2004-11-01 05:38
|
|
|
Risk Rating:
|
Medium Risk
|
|
|
Aliases:
|
Sasser
Sasser.A
W32.Sasser.Worm
W32/Sasser-A
W32/Sasser.A
W32/Sasser.A.worm
W32/Sasser.worm
W32/Sasser.worm.a
Win32.Sasser.A
Win32/Sasser.A
Worm.Win32.Sasser.a
WORM_SASSER.A
|
|
|
References:
|
CAN-2003-0533
|
|
|
Virus Alerts:
|
Secunia issued a MEDIUM RISK alert for this virus.
2004-05-01 13:28
|
|
|
Information From Secunia
|
|
Thorough analysis of the Sasser worm by eEye Digital Security:
http://www.eeye.com/html/Research/Advisories/AD20040501.html
|
|
|
Information From AntiVirus Vendors
|
|
|
|
|
Below you will find virus information from different antivirus vendors included in this Secunia Virus Profile. Information about the virus along with links to removal tools will be listed below when available.
The information provided is sorted by the date on which the information first became publicy available on the antivirus vendors' websites. The earliest available reports are displayed first. Please note timestamps are in GMT+1.
|
|
|
#1 - MCAFEE
|
| |
|
|
W32/Sasser.worm.a
|
Severity:
3/7
|
File Size:
15,872 bytes
|
| |
|
|
Reported:
2004-05-01 05:39
|
Last Update:
2004-07-01 05:42
|
| |
Description:
The assessment of this threat has been downgraded to Low-Profiled due to a decrease in prevalence.
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-07-01 05:42
|
Severity was decreased from 4/7 to 3/7.
|
| |
|
|
2004-07-01 05:42
|
Description was changed.
New:
"The assessment of this threat has been
downgraded to Low-Profiled due to a decrease
in prevalence."
Old:
"The assessment of this threat has been
upgraded to Medium due to an increase in
prevalence"
|
| |
|
|
2004-05-03 06:44
|
Name was changed.
New:
"W32/Sasser.worm.a"
Old:
"W32/Sasser.worm"
|
| |
|
|
2004-05-01 16:49
|
Description was changed.
New:
"The assessment of this threat has been
upgraded to Medium due to an increase in
prevalence"
Old:
"Top of Page"
|
| |
|
|
2004-05-01 16:49
|
Updated information about removal tool/instructions.
|
| |
|
|
2004-05-01 16:19
|
Severity was raised from 2/7 to 4/7.
|
| |
|
|
2004-05-01 10:04
|
Description was changed.
New:
"Top of Page"
Old:
"This self-executing worm spreads by
exploiting a Microsoft Windows vulnerability
[MS04-011 vulnerability (CAN-2003-0907)]"
|
| |
|
|
2004-05-01 08:54
|
Description was changed.
New:
"This self-executing worm spreads by
exploiting a Microsoft Windows vulnerability
[MS04-011 vulnerability (CAN-2003-0907)]"
Old:
"This self-executing worm spreads by
exploiting an MS04-011 vulnerability
(CAN-2003-0907)."
|
| |
|
|
2004-05-01 08:49
|
Description was changed.
New:
"This self-executing worm spreads by
exploiting an MS04-011 vulnerability
(CAN-2003-0907)."
Old:
"This self-executing worm spreads by
exploiting a Microsoft Windows vulnerability
[MS04-011 vulnerability (CAN-2003-0907)]"
|
| |
|
|
2004-05-01 08:44
|
Description was changed.
New:
"This self-executing worm spreads by
exploiting a Microsoft Windows vulnerability
[MS04-011 vulnerability (CAN-2003-0907)]"
Old:
"This self-executing worm spreads by
exploiting an MS04-011 vulnerability
(CAN-2003-0907)."
|
| |
|
|
2004-05-01 06:09
|
Description was changed.
New:
"This self-executing worm spreads by
exploiting an MS04-011 vulnerability
(CAN-2003-0907)."
Old:
"AVERT is currently analyzing a new worm
spreading in the wild. This worm spreads by
exploiting an MS04-011 vulnerability
(CAN-2003-0907)."
|
|
|
|
|
|
#2 - F-SECURE
|
| |
|
|
Sasser
|
Severity:
2/3
|
File Size:
15872
|
| |
|
|
Reported:
2004-05-01 08:23
|
Last Update:
2004-10-01 05:36
|
| |
Description:
Note:
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-05-02 14:47
|
Updated information about removal tool/instructions.
|
| |
|
|
2004-05-02 07:23
|
Description was changed.
New:
"Note:"
Old:
"Sasser is an Internet worm spreading through
the MS04-011 (LSASS) vulnerability."
|
| |
|
|
2004-05-01 09:53
|
Description was changed.
New:
"Sasser is an Internet worm spreading through
the MS04-011 (LSASS) vulnerability."
Old:
"A new Internet worm Sasser is spreading
through the LSASS vulnerability."
|
| |
|
|
2004-05-01 09:07
|
Severity was raised from N/A to 2/3.
|
| |
|
|
2004-05-01 09:03
|
Severity was raised from N/A to 2/3.
|
| |
|
|
2004-05-01 09:03
|
Severity was decreased from 2/3 to N/A.
|
|
|
|
|
|
#3 - SOPHOS
|
| |
|
|
W32/Sasser-A
|
Severity:
/5
|
File Size:
-
|
| |
|
|
Reported:
2004-05-01 09:01
|
Last Update:
2004-11-01 05:38
|
| |
Description:
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-10-01 06:29
|
Description was changed.
New:
"N/A"
Old:
"W32/Sasser-A worm is a self-executing network
worm, which travels from infected machines
via the internet, exploiting a Microsoft
Windows vulnerability MS04-011, and instructs
vulnerable systems to download and execute
the viral code."
|
| |
|
|
2004-10-01 06:29
|
Description was changed.
New:
"/5"
Old:
"N/A"
|
| |
|
|
2004-05-04 23:45
|
Description was changed.
New:
"W32/Sasser-A worm is a self-executing network
worm, which travels from infected machines
via the internet, exploiting a Microsoft
Windows vulnerability MS04-011, and instructs
vulnerable systems to download and execute
the viral code."
Old:
"W32/Sasser-A is a network worm that spreads
by exploiting the Microsoft LSASS
vulnerability. Microsoft has issued a patch
to secure against this vulnerability which
can be downloaded from Microsoft Security
Bulletin MS04-011."
|
|
|
|
|
|
#4 - TREND MICRO
|
| |
|
|
WORM_SASSER.A
|
Severity:
2/3
|
File Size:
-
|
| |
|
|
Reported:
2004-05-01 09:58
|
Last Update:
2004-10-01 05:38
|
| |
Description:
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-05-07 23:44
|
Description was changed.
New:
"N/A"
Old:
"As of May 1, 2004 4:15 AM (GMT -07:00;
Daylight Saving Time), TrendLabs has declared
a Yellow alert to control the spread of this
malware. Infection reports have been received
from Europe, Asia and the US."
|
| |
|
|
2004-05-06 23:44
|
Description was changed.
New:
"As of May 1, 2004 4:15 AM (GMT -07:00;
Daylight Saving Time), TrendLabs has declared
a Yellow alert to control the spread of this
malware. Infection reports have been received
from Europe, Asia and the US."
Old:
"As of May 1, 2004 4:15 AM (PST), TrendLabs
has declared a Yellow alert to control the
spread of this malware. Infection reports
have been received from Europe, Asia and the
US."
|
| |
|
|
2004-05-01 14:14
|
Description was changed.
New:
"As of May 1, 2004 4:15 AM (PST), TrendLabs
has declared a Yellow alert to control the
spread of this malware. Infection reports
have been received from Europe, Asia and the
US."
Old:
"As of May 1, 2004 4:15 AM (PST), TrendLabs
has declared a Yellow alert to control the
spread of this malware. Infection reports
have been received in the US."
|
| |
|
|
2004-05-01 13:44
|
Description was changed.
New:
"As of May 1, 2004 4:15 AM (PST), TrendLabs
has declared a Yellow alert to control the
spread of this malware. Infection reports
have been received in the US."
Old:
"As of May 1, 2004 4:15 AM (PST), TrendLabs
has declared a yellow alert to control the
spread of this malware. Infection reports
have been received in the US."
|
| |
|
|
2004-05-01 13:28
|
Severity was raised from 1/3 to 2/3.
|
| |
|
|
2004-05-01 13:24
|
Description was changed.
New:
"As of May 1, 2004 4:15 AM (PST), TrendLabs
has declared a yellow alert to control the
spread of this malware. Infection reports
have been received in the US."
Old:
"This worm exploits the Windows LSASS
vulnerability, which is a buffer overrun that
allows remote code execution and enables an
attacker to gain full control of the affected
system. This vulnerability is discussed in
detail in the following pages:"
|
| |
|
|
2004-05-01 12:08
|
Description was changed.
New:
"This worm exploits the Windows LSASS
vulnerability, which is a buffer overrun that
allows remote code execution and enables an
attacker to gain full control of the affected
system. This vulnerability is discussed in
detail in the following pages:"
Old:
"TrendLabs is currently analyzing this worm.
It is known to exploit the Windows LSASS
vulnerability, which is a buffer overrun that
allows remote code execution and enables an
attacker to gain full control of the affected
system. This vulnerability is discussed in
detail in the following pages:"
|
|
|
|
|
|
#5 - SYMANTEC
|
| |
|
|
W32.Sasser.Worm
|
Severity:
2/5
|
File Size:
15,872 bytes
|
| |
|
|
Reported:
2004-05-01 10:32
|
Last Update:
2004-08-01 05:46
|
| |
Description:
W32.Sasser.Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning the randomly selected IP addresses for vulnerable systems. Notes:
|
| |
|
Full Report From Vendor
Removal Tool/Instructions
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-05-12 23:43
|
Severity was decreased from 3/5 to 2/5.
|
| |
|
|
2004-05-12 23:43
|
Description was changed.
New:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning the randomly selected IP
addresses for vulnerable systems. Notes: "
Old:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning the randomly selected IP
addresses for vulnerable systems. "
|
| |
|
|
2004-05-06 23:42
|
Description was changed.
New:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning the randomly selected IP
addresses for vulnerable systems. "
Old:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning randomly selected IP
addresses for vulnerable systems. "
|
| |
|
|
2004-05-04 23:42
|
Description was changed.
New:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning randomly selected IP
addresses for vulnerable systems. "
Old:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning randomly selected IP
addresses for vulnerable systems. Notes: "
|
| |
|
|
2004-05-04 06:46
|
Description was changed.
New:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning randomly selected IP
addresses for vulnerable systems. Notes: "
Old:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning randomly selected IP
addresses of vulnerable systems. Notes: "
|
| |
|
|
2004-05-04 03:46
|
Description was changed.
New:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning randomly selected IP
addresses of vulnerable systems. Notes: "
Old:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning randomly selected IP
addresses of vulnerable systems. "
|
| |
|
|
2004-05-04 02:46
|
Description was changed.
New:
"W32.Sasser.Worm is a worm that attempts to
exploit the vulnerability described in
Microsoft Security Bulletin MS04-011. It
spreads by scanning randomly selected IP
addresses of vulnerable systems. "
Old:
"W32.Sasser.Worm is a worm that attempts to
exploit the MS04-011 vulnerability. It
spreads by scanning randomly-chosen IP
addresses for vulnerable systems. "
|
| |
|
|
2004-05-02 04:06
|
Updated information about removal tool/instructions.
|
| |
|
|
2004-05-01 21:36
|
Severity was raised from 2/5 to 3/5.
|
| |
|
|
2004-05-01 16:02
|
Description was changed.
New:
"W32.Sasser.Worm is a worm that attempts to
exploit the MS04-011 vulnerability. It
spreads by scanning randomly-chosen IP
addresses for vulnerable systems. "
Old:
"W32.Sasser is a worm that attempts to send
code that exploits the MS04-011
vulnerability. "
|
| |
|
|
2004-05-01 16:02
|
File size was changed.
New:
"15,872 bytes"
Old:
"15872"
|
|
|
|
|
|
#6 - PANDA ANTIVIRUS
|
| |
|
|
Sasser.A
|
Severity:
3/4
|
File Size:
-
|
| |
|
|
Reported:
2004-05-03 08:30
|
Last Update:
2004-10-01 05:40
|
| |
Description:
It restarts the computer. It spreads by exploiting the LSASS vulnerability.
|
| |
|
Full Report From Vendor
View/Hide ChangeLog
|
|
ChangeLog:
|
|
|
Changes are listed in chronological order with the latest changes first.
|
|
| |
|
|
2004-05-10 23:40
|
Severity was decreased from 4/4 to 3/4.
|
| |
|
|
2004-05-03 13:05
|
Description was changed.
New:
"It restarts the computer. It spreads by
exploiting the LSASS vulnerability."
Old:
"N/A"
|
|
|
|
|
|
Please note: The information that this Secunia Virus Profile is based on comes from a third party unless stated otherwise.
The grouping process is done completely automatically, therefore minor inconsistencies may occur. For more information about Secunia Virus Information, please read: About Virus Information.
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
