Sasser (detected as Sasser.A) is a computer worm, a type of malware, that affects computers running vulnerable versions of Microsoft Windows XP and Windows 2000. It spreads by exploiting a port vulnerability, specifically in Transmission Control Protocol (TCP) port 445, which authenticates or identifies network users.
While Microsoft released a patch for Sasser in its MS04-011 bulletin 17 days before the first attack hit, the worm still wreaked a lot of havoc when it spread to many computers back in April 2004.
Read More about the “Sasser Worm”
How Does Sasser Spread?
Sasser got its name because it spreads by exploiting a buffer overflow vulnerability in a Windows computer’s Local Security Authority Subsystem Service (LSASS) component, which verifies the validity of user logins.
To infect a system, the attackers connect to a vulnerable computer’s TCP port 445, although further analysis revealed that it could also enter through port 139, commonly used for file sharing.
Its effectiveness also gave rise to three other variants—Sasser.B, Sasser.C, and Sasser.D—which appeared within days of the original. Its most noticeable effect is shutting down an infected computer’s timer that appears when the worm crashes LSASS.exe.
What Were the Sasser Worm’s Effects?
Sasser’s ill effects include the following:
- It shut down all of the Agence France-Presse (AFP) ’s satellite communication systems for hours.
- It forced Delta Air Lines to cancel several trans-Atlantic flights.
- Nordic insurance company If and its Finnish owner Sampo Bank closed 130 offices in Finland.
- All of Lund University Hospital’s large X-ray machines were disabled for several hours, so emergency patients had to be redirected to a nearby hospital.
- The University of Missouri was forced to shut its network from the Internet.
- The British Coastguard disabled their electronic mapping service for hours.
- Other affected establishments include Goldman Sachs, Deutsche Post, and the European Commission.
Who Created the Sasser Worm and What Happened to Him?
Sven Jaschan, a German computer science student from Rotenburg, Lower Saxony, who was 18 then, was Sasser’s creator. He was arrested on 7 May 2004, thanks to information obtained after Microsoft offered a US$250,000 reward.
One of Jaschan’s friends revealed he created not only Sasser but also Netsky.AC, a variant of the Netsky worm. Shortly after Jaschan’s arrest, another of the worm’s variants—Sasser.E—was discovered. Unlike its predecessors, Sasser.E attempted to remove other worms from infected computers like Netsky.
Since Jaschan was only 17 when he created Sasser, he was tried as a minor. He only released it on his 18th birthday (i.e., 29 April 2004). He was found guilty of computer sabotage and illegally altering data. On 8 July 2005, he was handed a 21-month suspended sentence.
How Should Users Treat Sasser Worm-Infected Computers?
Affected users can abort Sasser’s shutdown sequence by clicking “Start” then using the Run command to enter “shutdown -a,” which stops the system shutdown so users can continue to use their computers.
Another option is to run the shutdown.exe file, which is not available by default on Windows 2000 but can be installed from its resource kit. This file is, however, available in Windows XP.
A final option is to set the infected computer’s time and/or date to earlier. The shutdown time will move as far into the future as the clock was set back.
What Other Names Does the Sasser Worm Go By?
Sasser’s aliases or monikers, according to various security companies, include:
- Net-Worm:W32/Sasser (F-Secure)
- W32.Sasser.Worm (SRN Micro Systems)
- Net-Worm.Win32.Sasser.a (Kaspersky)
- W32/Sasser.worm.a (McAfee)
- W32.Sasser.gen (Symantec)
- Worm/Rbot.328262 (Avira)
- W32/Sasser-F (Sophos)
Sasser and other worms like it can be thwarted by regularly applying patches to vulnerable computers. Using effective antimalware is also advised.