www.esecurityplanet.com/alerts/article.php/3801316
Back to Article
2/6: Sasser-E Worm Spreads by Exploiting Microsoft LSASS Flaw
By
February 6, 2009
Back to Article
2/6: Sasser-E Worm Spreads by Exploiting Microsoft LSASS Flaw
By
February 6, 2009
W32/Sasser-E is a network worm spread by exploiting a Microsoft LSASS vulnerability.
The worm copies itself to the Windows folder and sets the following registry entry to auto-start on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ LSASS SVR = lsasss.exe
W32/Sasser-E attempts to connect out on port TCP/1022 and TCP/445 and exploit the LSASS vulnerability. An FTP script is then downloaded and executed which connects back on port TCP/1023 to download a copy of the worm via FTP.
More information can be found at this Sophos page.