365:. This aborts the system shutdown so the user may continue what they were doing. The shutdown.exe file is not available by default within Windows 2000, but can be installed from the Windows 2000 resource kit. It is available in Windows XP. A second option to stop the worm from shutting down a computer is to change the time and/or date on its clock to earlier; the shutdown time will move as far into the future as the clock was set back.
194:) on the affected operating systems. According to a report by eEye Digital Security published on April 13, 2004, this buffer overflow relies on an apparently deprecated API call to Microsoft Active Directory, which both allows for unchecked remote queries and crashes LSASS.exe if given a long string. Once on a machine, the worm scans different ranges of
319:
Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven
Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a
215:
appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by
Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writer reverse-engineered the patch to
202:
port 445. If a vulnerable installation of XP or 2000 is found, the worm utilizes its own FTP server hosted on previously infected machines to download itself onto the newly compromised host. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called
348:
running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export
Version) caused by faulty code used in the worm. The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.
305:, then student at a technical college, was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$ 250,000.
174:
bulletin, for which a patch had been released seventeen days earlier. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing
316:, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.
465:
308:
One of
Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the
628:
437:
819:
654:
381:. This will abort the shutdown caused by the termination of lsass.exe, allowing the user more time to remove the worm. The worm may be removed by running
749:
191:
175:
1220:
707:
488:
162:. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured
512:
216:
discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.
621:
831:
759:
432:
457:
1091:
930:
1359:
659:
649:
614:
199:
1354:
723:
254:
561:
846:
826:
159:
1022:
298:
1364:
1096:
856:
234:
having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The
274:
1163:
1122:
871:
422:
1184:
775:
754:
1179:
1153:
894:
163:
1215:
728:
223:
186:
Sasser was created on April 30, 2004. This worm was named Sasser because it spreads by exploiting a
920:
266:
986:
691:
1012:
1007:
516:
171:
1044:
1002:
904:
814:
744:
329:
281:
disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.
148:
899:
780:
566:
235:
836:
1303:
965:
945:
925:
915:
231:
187:
580:
1329:
1272:
1236:
1032:
851:
251:
167:
52:
586:
1348:
1293:
1075:
940:
866:
278:
262:
258:
227:
141:
100:
601:
596:
591:
1267:
1038:
955:
950:
801:
302:
294:
155:
125:
110:
413:
and reboot. After a reboot, the user's PC will no longer be infected with Sasser.
570:
1277:
1241:
1138:
960:
889:
809:
309:
220:
81:
1246:
861:
786:
685:
537:
195:
151:
129:
1319:
1298:
145:
32:
1324:
1251:
1210:
1158:
1070:
970:
841:
575:
42:
226:(AFP) having all its satellite communications blocked for hours and the
1143:
1055:
606:
427:
290:
247:
170:. The specific hole Sasser exploits is documented by Microsoft in its
1194:
935:
881:
357:
The shutdown sequence can be aborted by pressing start and using the
65:
1148:
1101:
513:"Network Security, Vulnerability Assessment, Intrusion Prevention"
270:
583:- Includes links to the info pages of major anti-virus companies.
257:
had its electronic mapping service disabled for a few hours, and
1106:
387:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
610:
581:
Read here how you can protect your PC (Microsoft
Security page)
373:
The Sasser worm can be removed by pressing start and using the
158:. Sasser spreads by exploiting the system through a vulnerable
246:
came to a complete halt and had to close their 130 offices in
144:
that affects computers running vulnerable versions of the
198:
and connects to victims' computers primarily through
1312:
1286:
1260:
1229:
1203:
1172:
1131:
1115:
1084:
1063:
1054:
1021:
995:
979:
880:
800:
768:
737:
716:
700:
678:
671:
489:"Everything you need to know about the Sasser worm"
121:
116:
106:
96:
25:
20:
397:in task manager. Next, the user must navigate to
328:An indication of the worm's infection of a given
312:, was his creation. Another variation of Sasser,
587:New Windows Worm on the Loose (Slashdot article)
592:Report on the effects of the worm from the BBC
539:Net-Worm.Win32.Sasser On a Physical PC Network
438:Timeline of notable computer viruses and worms
622:
8:
1060:
675:
629:
615:
607:
602:Sasser creator avoids jail term (BBC News)
192:Local Security Authority Subsystem Service
708:Sony BMG copy protection rootkit scandal
597:German admits creating Sasser (BBC News)
449:
393:string. Next, the user must terminate
166:or by downloading system updates from
17:
562:Microsoft Security Bulletin: MS04-011
405:. Finally, the user must navigate to
7:
468:from the original on 31 October 2022
269:also had issues with the worm. The
219:The effects of Sasser included the
389:. There, the user must remove the
14:
433:BlueKeep (security vulnerability)
190:in the component known as LSASS (
462:Microsoft Security Intelligence
48:Net-Worm:W32/Sasser. (F-secure)
332:is the existence of the files
289:On 7 May 2004, an 18-year-old
38:Worm:Win32/Sasser. (Microsoft)
1:
487:Macrae, Duncan (2014-04-11).
320:21-month suspended sentence.
1039:Kaminsky DNS cache poisoning
783:(findings published in 2010)
515:. 2006-01-09. Archived from
344:on the PC's hard disk, the
71:Worm.Win32.Sasser. (Sophos)
61:W32.Sasser..Worm (Symantec)
1381:
87:WORM_SASSER. (Trend Micro)
642:
277:had all their four layer
242:and their Finnish owners
90:BAT_SASSER. (Trend Micro)
77:W32/Sasser.worm. (Sophos)
275:Lund University Hospital
74:W32.Sasser.Worm (Sophos)
760:US military cyberattack
750:Cyberattacks on Georgia
724:Cyberattacks on Estonia
423:Blaster (computer worm)
342:C:\WINDOWS\avserve2.exe
755:Sarah Palin email hack
428:Nachia (computer worm)
58:W32.Sasser. (Symantec)
895:Jeanson James Ancheta
41:Net-Worm:W32/Sasser (
1360:Hacking in the 2000s
729:Operation: Bot Roast
637:Hacking in the 2000s
224:Agence France-Presse
1355:Exploit-based worms
267:European Commission
182:History and effects
692:Operation Firewall
385:and navigating to
361:command to enter
238:insurance company
1342:
1341:
1338:
1337:
820:associated events
796:
795:
745:Project Chanology
666:
665:
377:command to enter
149:operating systems
135:
134:
117:Technical details
51:W32.Sasser.Worm (
1372:
1061:
912:str0ke (milw0rm)
781:Operation Aurora
676:
645:
644:
631:
624:
617:
608:
576:Bugtraq ID 10108
549:
548:
547:
546:
534:
528:
527:
525:
524:
509:
503:
502:
500:
499:
484:
478:
477:
475:
473:
464:. Nov 11, 2004.
454:
412:
408:
404:
400:
396:
392:
388:
384:
380:
364:
347:
343:
339:
335:
18:
1380:
1379:
1375:
1374:
1373:
1371:
1370:
1369:
1365:Windows malware
1345:
1344:
1343:
1334:
1308:
1282:
1256:
1225:
1199:
1168:
1127:
1111:
1092:Anna Kournikova
1080:
1050:
1025:
1023:Vulnerabilities
1017:
991:
975:
966:Dmitry Sklyarov
946:Albert Gonzalez
876:
792:
764:
733:
712:
696:
667:
638:
635:
558:
553:
552:
544:
542:
536:
535:
531:
522:
520:
511:
510:
506:
497:
495:
486:
485:
481:
471:
469:
456:
455:
451:
446:
419:
410:
406:
402:
398:
394:
390:
386:
382:
378:
371:
362:
355:
345:
341:
337:
333:
326:
287:
232:Delta Air Lines
230:flight company
188:buffer overflow
184:
12:
11:
5:
1378:
1376:
1368:
1367:
1362:
1357:
1347:
1346:
1340:
1339:
1336:
1335:
1333:
1332:
1327:
1322:
1316:
1314:
1310:
1309:
1307:
1306:
1301:
1296:
1290:
1288:
1284:
1283:
1281:
1280:
1278:Black Energy 1
1275:
1270:
1264:
1262:
1258:
1257:
1255:
1254:
1249:
1244:
1239:
1233:
1231:
1227:
1226:
1224:
1223:
1218:
1213:
1207:
1205:
1201:
1200:
1198:
1197:
1192:
1187:
1182:
1176:
1174:
1170:
1169:
1167:
1166:
1161:
1156:
1151:
1146:
1141:
1135:
1133:
1129:
1128:
1126:
1125:
1119:
1117:
1113:
1112:
1110:
1109:
1104:
1099:
1094:
1088:
1086:
1082:
1081:
1079:
1078:
1073:
1067:
1065:
1058:
1052:
1051:
1049:
1048:
1042:
1036:
1033:Shatter attack
1029:
1027:
1019:
1018:
1016:
1015:
1010:
1005:
999:
997:
996:Hacking forums
993:
992:
990:
989:
983:
981:
977:
976:
974:
973:
968:
963:
958:
953:
948:
943:
938:
933:
928:
923:
918:
913:
910:
907:
902:
897:
892:
886:
884:
878:
877:
875:
874:
869:
864:
859:
854:
852:PLA Unit 61398
849:
844:
839:
834:
829:
824:
823:
822:
812:
806:
804:
798:
797:
794:
793:
791:
790:
784:
778:
776:Operation Troy
772:
770:
766:
765:
763:
762:
757:
752:
747:
741:
739:
735:
734:
732:
731:
726:
720:
718:
714:
713:
711:
710:
704:
702:
698:
697:
695:
694:
689:
682:
680:
673:
669:
668:
664:
663:
657:
652:
643:
640:
639:
636:
634:
633:
626:
619:
611:
605:
604:
599:
594:
589:
584:
578:
573:
564:
557:
556:External links
554:
551:
550:
529:
504:
479:
458:"Win32/Sasser"
448:
447:
445:
442:
441:
440:
435:
430:
425:
418:
415:
370:
367:
354:
351:
325:
322:
286:
283:
279:X-ray machines
273:department at
183:
180:
168:Windows Update
133:
132:
123:
119:
118:
114:
113:
108:
104:
103:
98:
94:
93:
92:
91:
88:
85:
78:
75:
72:
69:
62:
59:
56:
49:
46:
39:
36:
31:Win32/Sasser (
27:
26:Technical name
23:
22:
13:
10:
9:
6:
4:
3:
2:
1377:
1366:
1363:
1361:
1358:
1356:
1353:
1352:
1350:
1331:
1328:
1326:
1323:
1321:
1318:
1317:
1315:
1311:
1305:
1302:
1300:
1297:
1295:
1292:
1291:
1289:
1285:
1279:
1276:
1274:
1271:
1269:
1266:
1265:
1263:
1259:
1253:
1250:
1248:
1245:
1243:
1240:
1238:
1235:
1234:
1232:
1228:
1222:
1219:
1217:
1214:
1212:
1209:
1208:
1206:
1202:
1196:
1193:
1191:
1188:
1186:
1183:
1181:
1178:
1177:
1175:
1171:
1165:
1162:
1160:
1157:
1155:
1152:
1150:
1147:
1145:
1142:
1140:
1137:
1136:
1134:
1130:
1124:
1121:
1120:
1118:
1114:
1108:
1105:
1103:
1100:
1098:
1095:
1093:
1090:
1089:
1087:
1083:
1077:
1074:
1072:
1069:
1068:
1066:
1062:
1059:
1057:
1053:
1046:
1043:
1040:
1037:
1034:
1031:
1030:
1028:
1024:
1020:
1014:
1011:
1009:
1006:
1004:
1001:
1000:
998:
994:
988:
985:
984:
982:
978:
972:
969:
967:
964:
962:
959:
957:
954:
952:
949:
947:
944:
942:
939:
937:
934:
932:
929:
927:
924:
922:
919:
917:
914:
911:
908:
906:
903:
901:
898:
896:
893:
891:
888:
887:
885:
883:
879:
873:
870:
868:
867:World of Hell
865:
863:
860:
858:
855:
853:
850:
848:
845:
843:
840:
838:
835:
833:
830:
828:
825:
821:
818:
817:
816:
813:
811:
808:
807:
805:
803:
799:
788:
785:
782:
779:
777:
774:
773:
771:
767:
761:
758:
756:
753:
751:
748:
746:
743:
742:
740:
736:
730:
727:
725:
722:
721:
719:
715:
709:
706:
705:
703:
699:
693:
690:
687:
684:
683:
681:
677:
674:
670:
662: →
661:
658:
656:
653:
651:
648:←
647:
646:
641:
632:
627:
625:
620:
618:
613:
612:
609:
603:
600:
598:
595:
593:
590:
588:
585:
582:
579:
577:
574:
572:
568:
565:
563:
560:
559:
555:
541:
540:
533:
530:
519:on 2006-01-09
518:
514:
508:
505:
494:
490:
483:
480:
467:
463:
459:
453:
450:
443:
439:
436:
434:
431:
429:
426:
424:
421:
420:
416:
414:
376:
368:
366:
360:
352:
350:
331:
323:
321:
317:
315:
311:
306:
304:
300:
296:
292:
284:
282:
280:
276:
272:
268:
264:
263:Deutsche Post
260:
259:Goldman Sachs
256:
253:
249:
245:
241:
237:
233:
229:
225:
222:
217:
214:
210:
206:
201:
197:
193:
189:
181:
179:
177:
173:
169:
165:
161:
157:
153:
150:
147:
143:
142:computer worm
139:
131:
127:
124:
120:
115:
112:
109:
105:
102:
99:
95:
89:
86:
83:
80:WORM_SASSER (
79:
76:
73:
70:
67:
64:W32/Sasser- (
63:
60:
57:
54:
50:
47:
44:
40:
37:
34:
30:
29:
28:
24:
19:
16:
1221:Sony rootkit
1189:
987:Bluehell IRC
956:Dan Kaminsky
951:Sven Jaschan
543:, retrieved
538:
532:
521:. Retrieved
517:the original
507:
496:. Retrieved
493:Tech Monitor
492:
482:
470:. Retrieved
461:
452:
411:avserve2.exe
395:avserve2.exe
391:avserve2.exe
374:
372:
358:
356:
327:
324:Side effects
318:
313:
307:
303:Lower Saxony
295:Sven Jaschan
288:
243:
239:
218:
212:
208:
204:
196:IP addresses
185:
156:Windows 2000
137:
136:
126:Windows 2000
111:Sven Jaschan
15:
1139:SQL Slammer
961:Samy Kamkar
882:Individuals
847:Level Seven
810:Ac1db1tch3z
789:(2008–2010)
688:(2003–2006)
409:and delete
401:and delete
383:regedit.exe
379:shutdown /a
363:shutdown /a
353:Workarounds
338:C:\win2.log
310:Netsky worm
221:news agency
82:Trend Micro
1349:Categories
1026:discovered
1013:darksun.ws
1008:unkn0wn.eu
916:Lil Hacker
862:ShadowCrew
787:WebcamGate
686:Titan Rain
545:2023-02-06
523:2023-02-06
498:2023-02-06
444:References
407:C:\Windows
334:C:\win.log
265:, and the
255:Coastguard
244:Sampo Bank
152:Windows XP
130:Windows XP
1320:Conficker
1299:Agent.btz
827:Avalanche
815:Anonymous
672:Incidents
571:2003-0533
299:Rotenburg
146:Microsoft
33:Microsoft
1325:Koobface
1304:Mariposa
1252:Stration
1247:Clickbot
1211:PGPCoder
1159:Graybird
1097:Code Red
1071:ILOVEYOU
1045:sslstrip
1003:ryan1918
980:Darknets
971:Stakkato
909:Digerati
905:Dshocker
872:Sandworm
842:GhostNet
655:Timeline
466:Archived
417:See also
403:win2.log
314:Sasser.E
213:Sasser.D
209:Sasser.C
205:Sasser.B
172:MS04-011
164:firewall
122:Platform
53:Symantec
43:F-Secure
1330:Waledac
1237:Rustock
1164:Blaster
1144:Welchia
1076:Pikachu
1056:Malware
926:camZero
369:Removal
346:ftp.exe
252:British
248:Finland
107:Authors
1294:Asprox
1195:Mydoom
1190:Sasser
1185:NetSky
1123:Simile
1047:(2009)
1041:(2008)
1035:(2002)
941:diabl0
936:Cyxymu
931:Coolio
900:SilenZ
802:Groups
293:named
291:German
285:Author
250:. The
236:Nordic
211:, and
138:Sasser
66:Sophos
21:Sasser
1268:Storm
1180:Bagle
1154:Gruel
1149:Sobig
1102:Nimda
890:AKill
837:0x1fe
660:2010s
650:1990s
472:6 Feb
297:from
271:X-ray
176:LSASS
140:is a
1313:2009
1287:2008
1273:ZeuS
1261:2007
1242:ZLOB
1230:2006
1216:Samy
1204:2005
1173:2004
1132:2003
1116:2002
1107:Klez
1085:2001
1064:2000
921:BadB
832:GNAA
769:2009
738:2008
717:2007
701:2005
679:2004
474:2023
228:U.S.
160:port
154:and
101:Worm
97:Type
857:RBN
567:CAN
399:C:\
375:Run
359:Run
340:or
200:TCP
1351::
491:.
460:.
336:,
330:PC
301:,
261:,
240:If
207:,
178:.
128:,
630:e
623:t
616:v
569:-
526:.
501:.
476:.
84:)
68:)
55:)
45:)
35:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.