Jump to content

Sasser (computer worm)

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 42.111.13.59 (talk) at 16:16, 11 October 2022 (Technical updates that are made recently). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Sasser
Technical name
  • csrss.exe/Sasser (Microsoft)
  • Worm:Win32/Sasser.[Letter] (Microsoft)
  • Net-Worm:W32/Sasser (F-Secure)
  • Net-Worm:W32/Sasser.[Letter] (F-secure)
  • W32.Sasser.Worm (Symantec)
  • W32.Sasser.[Letter] (Symantec)
  • W32.Sasser.[Letter].Worm (Symantec)
  • W32/Sasser-[Letter] (Sophos)
  • Worm.Win32.Sasser.[letter] (Sophos)
  • W32.Sasser.Worm (Sophos)
  • W32/Sasser.worm.[letter] (Sophos)
  • WORM_SASSER (Trend Micro)
  • WORM_SASSER.[Letter] (Trend Micro)
  • BAT_SASSER.[Letter] (Trend Micro)
TypeWorm
AuthorsSven Jaschan
Technical details
PlatformWindows 10, Windows 11

Sasser is a Cyber worm that affects home networks and all smart devices like computers,cellphones,tablets,smart tv,routers running vulnerable versions of the Microsoft and Apple operating systems Windows 10 and Windows 11 and Mac OS. Sasser spreads by exploiting the system through a vulnerable port. It can spread without user intervention, but it is also easily stopped by a properly configured [[IP firewall (networking) Network firewall or by contacting Certified IP Technician’s on the helpine number provided to the users on Security alerts from Windows defender. It targets users sensitive and confidential information like banking users names passwords , credit cards , IP address (Online Identity) etc.It generally spreads when a user is on internet sites like Facebook,Google,Recipes,Users Manuals,News,Online games,Emails,18+ sites (porn,dating),Quiz or by clicking on an advertisement over the web.This is the most notorious malware that it cannot be handled or fixed by any local computer service providers because it is not a computer related problem. In year 2019 it has shutdown many well reputed services like Google , Microsoft,Yahoo for several days.

History and effects

Sasser was created on April 30, 2004. This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems. The worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update. [citation needed]

The effects of Sasser included the news agency Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The Nordic insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland. The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also had issues with the worm. The X-ray department at Lund University Hospital had all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital. The University of Missouri was forced to "unplug" its network from the wider Internet in response to the worm.

Author

On 7 May 2004, 18-year-old German Sven Jaschan from Rotenburg, Lower Saxony, then student at a technical college, was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.

One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.

Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21-month suspended sentence.

Side effects

An indication of the worm's infection of a given PC is the existence of the files C:\win.log, C:\win2.log or C:\WINDOWS\avserve2.exe on the PC's hard disk, the ftp.exe running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export Version) caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.

Workarounds

The shutdown sequence can be aborted by pressing start and using the Run command to enter shutdown -a. This aborts the system shutdown so users may continue what they were doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP. A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.

See also

  • Microsoft Security Bulletin: MS04-011
  • CAN-2003-0533
  • Bugtraq ID 10108
  • Read here how you can protect your PC (Microsoft Security page) - Includes links to the info pages of major anti-virus companies.
  • New Windows Worm on the Loose (Slashdot article)
  • Report on the effects of the worm from the BBC
  • German admits creating Sasser (BBC News)
  • Sasser creator avoids jail term (BBC News)