2/6: Sasser-E Worm Spreads by Exploiting Microsoft LSASS Flaw
W32/Sasser-E is a network worm spread by exploiting a Microsoft LSASS vulnerability.
The worm copies itself to the Windows folder and sets the following registry entry to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ LSASS SVR = lsasss.exe
W32/Sasser-E attempts to connect out on port TCP/1022 and TCP/445 and exploit the LSASS vulnerability. An FTP script is then downloaded and executed which connects back on port TCP/1023 to download a copy of the worm via FTP.
Threat Alerts
Digg
del.icio.us
Newsvine
Facebook
Google
LinkedIn
MySpace
Reddit
Slashdot
StumbleUpon
Technorati
Twitter
Windows Live
YahooBuzz
FriendFeedMore information can be found at this Sophos page.
