Name: Worm.Win32.Sasser. Category: Viruses Description: Details Worm.Win32.Sasser.b Sasser.b is an Internet worm that uses the MS Windows LSASS vulnerability described in Microsoft Security Bulletin MS04-011. Microsoft released a patch for this vulnerability on april 13, 2004, while Sasser.a was first detected on April 30, 2004. Sasser.b operates in a very similar manner to Lovesan, except that Lovesan exploited a vulnerability in the PRC DCOM service, not the LSASS service. Sasser affects computers running Windows 2000, Windows XP, Windows Server 2003. Sasser functions on all other versions of Windows but is unable to infect them by attacking via the vulnerability. Sasser is written in C/C++, using the Visual C complier. The wrom is about 15 KL and is packed by PECompact2. Signs of Infection avserve.exe in the Windows directory. An error message about the LSASS service failing which usually also causes the system to reboot. Differences between Sasser.a and Sasser.b Sasser.b uses a different file name for the main component that is registered in the system registry autorun key: avserve2.exe instead of avserve.exe. The unique identifier name is changed to Jobaka3 and Sasser.b also attempts to create a second identifier named JumpallsNlsTillt. The number of propagation routines is increased from 128 to 1024 and the name of the log file is changed to win2.log