Hubbry Logo
search
logo
Sasser (computer worm) avatar
Sasser (computer worm)
Sasser (computer worm)
current hub
S

Sasser (computer worm)

logo
Community Hub0 Subscribers
Read side by side
Sasser (computer worm)
View on Wikipedia
from Wikipedia
Sasser
Malware details
Technical name
  • Win32/Sasser (Microsoft)
  • Worm:Win32/Sasser.[Letter] (Microsoft)
  • Net-Worm:W32/Sasser (F-Secure)
  • Net-Worm:W32/Sasser.[Letter] (F-secure)
  • W32.Sasser.Worm (Symantec)
  • W32.Sasser.[Letter] (Symantec)
  • W32.Sasser.[Letter].Worm (Symantec)
  • W32/Sasser-[Letter] (Sophos)
  • Worm.Win32.Sasser.[letter] (Sophos)
  • W32.Sasser.Worm (Sophos)
  • W32/Sasser.worm.[letter] (Sophos)
  • WORM_SASSER (Trend Micro)
  • WORM_SASSER.[Letter] (Trend Micro)
  • BAT_SASSER.[Letter] (Trend Micro)
TypeWorm
AuthorSven Jaschan
Technical details
PlatformsWindows 2000, Windows XP

Sasser is a computer worm that affects computers running vulnerable versions of the Windows XP and Windows 2000 operating systems. Sasser spreads by exploiting the system through a vulnerable port and can spread without user intervention. It is stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits was documented and patched by Microsoft prior to the release of the worm.

The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS. Sasser impacted various organizations including Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-Atlantic flights.

History

[edit]

The Sasser computer worm was created on April 29, 2004.[1] The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages,[2] prior to the release of the worm.

Behavior

[edit]

The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin (CVE-2003-0533).[3] Sasser spreads by exploiting the system through a vulnerable port. Thus, it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update.

The worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems (vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000). This buffer overflow gives a long string to an undocumented API in Microsoft Active Directory-related functions, which both allows for arbitrary code execution and often crashes LSASS.exe.[4]

Once on a machine, the worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. If a vulnerable installation of Microsoft's Windows XP and Windows 2000 is found, the worm utilizes its own FTP server hosted on previously infected machines to download itself onto the newly compromised host. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A).

Side effects

[edit]

An indication of the worm's infection of a given PC is the existence of the files C:\win.log, C:\win2.log or C:\WINDOWS\avserve2.exe on the PC's hard disk, the ftp.exe running randomly and 100% CPU usage, as well as seemingly random crashes with LSA Shell (Export Version) caused by faulty code used in the worm.

The most characteristic symptom of the worm is the shutdown timer that appears due to the worm crashing LSASS.exe.

Mitigation

[edit]

The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin (CVE-2003-0533),[3] for which a patch had been released seventeen days earlier.[2] It is easily stopped by a properly configured firewall or by downloading system updates from Windows Update.

Impact

[edit]

The impact of Sasser included the news agency Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-Atlantic flights because its computer systems had been swamped by the worm. The Nordic insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland. The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also had issues with the worm. The X-ray department at Lund University Hospital had all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital.

Some technology specialists speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.[5]

Author

[edit]

On 7 May 2004, an 18-year-old German named Sven Jaschan from Rotenburg, Lower Saxony, then student at a technical college, was arrested for writing the worm. German authorities were led to Jaschan partly because of information obtained in response to a bounty offer by Microsoft of US$250,000.

One of Jaschan's friends had informed Microsoft that his friend had created the worm. He further revealed that not only Sasser, but also Netsky.AC, a variant of the Netsky worm, was his creation. Another variation of Sasser, Sasser.E, was found to be circulating shortly after the arrest. It was the only variation that attempted to remove other worms from the infected computer, much in the way Netsky does.

Jaschan was tried as a minor because the German courts determined that he created the worm before he was 18. The worm itself had been released on his 18th birthday (29 April 2004). Sven Jaschan was found guilty of computer sabotage and illegally altering data. On Friday, 8 July 2005, he received a 21-month suspended sentence.

See also

[edit]

Notes

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Sasser (computer worm)

View on Grokipedia
from Grokipedia
The Sasser worm is a computer worm that emerged on April 30, 2004, targeting unpatched versions of Microsoft Windows XP and Windows 2000 operating systems by exploiting a buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS).[1][2] It propagated automatically over networks by scanning random IP addresses for vulnerable machines, using TCP port 5554 to deliver its payload via an FTP-like mechanism without requiring user interaction or email attachments.[1][3] Once infected, the worm caused systems to repeatedly reboot and crash due to denial-of-service effects, though it did not directly steal data or install backdoors.[1][4] Sasser quickly evolved into multiple variants (A through E), with later versions like Sasser.B spreading faster by optimizing scan rates to up to 400,000 probes per hour.[3] Estimates indicate it infected between 500,000 and 1 million computers worldwide within days, representing a small fraction of internet-connected PCs but causing significant disruptions due to its rapid propagation.[3][5] The worm's impact was exacerbated by the recent release of Microsoft's MS04-011 security patch on April 13, 2004, which many users had not yet applied, leaving systems exposed.[1][6] Notable disruptions included delaying 20 British Airways flights by about 10 minutes each at Heathrow Airport, forcing the cancellation and delay of some Delta Air Lines flights in the United States, paralyzing over 400 branches of Taiwan's national post office (affecting 1,600 machines), and halting rail traffic control in Australia.[7][8][4] In Hong Kong, public hospitals faced outages, and small to medium-sized businesses across Europe and Asia reported widespread system failures, though large enterprises with firewalls were less affected.[7][5] Despite claims of up to $18 billion in damages, actual economic losses were likely lower given the infection rate compared to predecessors like MSBlast.[9] The worm's creator, 18-year-old German computer science student Sven Jaschan, confessed to developing Sasser along with the earlier Netsky viruses as a hobbyist effort to combat other malware like Mydoom.[10][11] Jaschan was arrested on May 8, 2004, in Lower Saxony, Germany, following tips prompted by a $250,000 Microsoft bounty program, with international cooperation from U.S. authorities aiding the investigation.[12][13] In 2005, he received a suspended 21-month sentence for computer sabotage and data alteration, avoiding juvenile detention due to his age and lack of prior offenses; Microsoft later paid rewards to informants totaling $250,000.[14][13]

History

Discovery and Initial Spread

The Sasser worm was first detected on April 30, 2004, by antivirus researchers monitoring network traffic for emerging threats.[15] This initial variant, known as Sasser.A, targeted unpatched Windows XP and Windows 2000 systems, exploiting a buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS).[16] Within hours of its release, the worm began propagating rapidly across the internet without requiring user interaction, such as email attachments. Starting May 1, 2004, Sasser spread aggressively, infecting hundreds of thousands of computers within the first few days, with early hotspots in the United States, United Kingdom, and parts of Asia.[17] Infected systems exhibited disruptive behaviors, including frequent automatic shutdowns after 60 seconds and blue screen errors, which hampered normal operations and drew widespread attention from users and organizations.[18] Antivirus firms estimated that Sasser and its variants impacted more than one million machines worldwide within days, primarily home users and small networks lacking firewalls or timely patches.[18][3] Over the following week, multiple variants emerged between May 1 and May 6, 2004, adapting the worm's code to evade detection and enhance propagation. Sasser.B appeared on May 1, 2004, improving scanning efficiency for vulnerable hosts through better random IP selection, while Sasser.C emerged on May 4 with further enhancements.[15] Sasser.D surfaced around May 4–7, introducing more aggressive network probing. Later variants introduced additional features: Sasser.B added a backdoor on TCP port 9898; Sasser.C displayed an infection message; Sasser.D added a backdoor on TCP port 1023; Sasser.E, detected around May 8–13 shortly after the creator's arrest, included a backdoor on TCP port 9999 and displayed a warning message urging users to patch their systems via Microsoft's website.[15][19] These rapid iterations contributed to the worm's estimated total infections exceeding one million in its early phase.[18]

Development and Attribution

The Sasser worm was developed in April 2004 by Sven Jaschan, an 18-year-old student at a technical college in Rotenburg an der Fulda, Lower Saxony, Germany, as part of his personal experimentation in malware creation.[20] Jaschan, who had limited prior programming experience but was self-taught in virus writing, coded Sasser on a home computer in his bedroom, motivated by a desire to gain recognition as a skilled programmer and potentially assist his mother's job prospects at a security firm.[21] This project followed his earlier work on the Netsky worm family, a series of about 30 variants he authored starting in February 2004, which demonstrated his evolving techniques in worm propagation and anti-antivirus evasion.[22][10] Attribution to Jaschan began shortly after Sasser's emergence on May 1, 2004, when Microsoft and antivirus researchers, including those at F-Secure and Symantec, identified striking code similarities between Sasser and the Netsky family, such as identical random number generation algorithms, shared subroutines for network scanning, and common FTP functions.[22][23] These parallels were reinforced by messages embedded in a Netsky variant (Netsky.AC) explicitly claiming authorship of Sasser, which analysts viewed as a signature from the same developer.[24] Tips from the antivirus community and informal networks further narrowed the search, culminating in two informants—acquaintances of Jaschan—contacting authorities in pursuit of Microsoft's $250,000 bounty for information leading to the worm's creator.[13][25] Jaschan was arrested at his home on May 8, 2004, and confessed to authoring both Sasser and the Netsky variants during initial questioning, amid growing media coverage of the worm's disruptions.[20][26] His admission was corroborated by forensic analysis of his computer, which contained source code matching the worms, solidifying the attribution without prolonged investigation.[27]

Technical Details

Exploited Vulnerability

The Sasser worm exploited a critical buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS.exe), a core component of the Windows operating system responsible for security policy enforcement and user authentication.[28][29] This flaw, identified as CVE-2003-0533, stemmed from improper handling of Remote Procedure Call (RPC) requests in the LSASRV.DLL library, specifically within Active Directory service functions like DsRolerUpgradeDownlevelServer, which failed to adequately validate input lengths for debug entries in the DCPROMO.LOG file.[29][28] As a result, attackers could trigger a stack-based buffer overflow by sending a specially crafted RPC message, enabling arbitrary code execution with SYSTEM-level privileges without requiring user interaction or authentication.[29][30] The vulnerability was detailed in Microsoft Security Bulletin MS04-011, released on April 13, 2004, which highlighted its potential for remote code execution over TCP port 445 using the Server Message Block (SMB) protocol.[28] Primarily affecting unpatched systems running Windows XP Service Pack 1 (SP1), Windows 2000 Service Packs 2, 3, and 4 (SP2/SP3/SP4), and Windows Server 2003, the flaw rendered these installations susceptible to exploitation from anonymous remote attackers scanning the network.[29][28] Systems with later service packs or those updated via MS04-011 were immune, as the patch addressed the input validation issues in LSASS to prevent overflow conditions.[28] Sasser leveraged this port for initial propagation attempts, though full infection mechanics are covered elsewhere.[30]

Propagation Mechanism

The Sasser worm propagates exclusively through network-based mechanisms, targeting vulnerable Windows systems without relying on user interaction such as email attachments or file sharing. Upon execution, it initiates scanning operations by creating 128 concurrent threads that probe random IPv4 addresses for open TCP port 445, which is associated with the Server Message Block (SMB) service. This scanning selects target IP addresses with a bias toward local networks: approximately 50% are fully random, 25% share the first octet with the infected host, and 25% share the first two octets, enabling efficient spread within local environments. The worm can scan over 200 addresses per second per infected host, allowing rapid exploration of potential victims.[31][32] Once a vulnerable system is identified on port 445, Sasser exploits the Local Security Authority Subsystem Service (LSASS) buffer overflow vulnerability (MS04-011) by sending specially crafted, malformed Remote Procedure Call (RPC) packets. This exploit injects shellcode into the target process, granting the worm control without authentication. The shellcode then binds a remote command shell to TCP port 9996 and an FTP server to TCP port 5554 on the infected host, facilitating the download of the worm's executable (such as avserve.exe for the original variant). The target system connects to the attacker's FTP server, retrieves the payload anonymously, executes it, and the cycle repeats as the new instance begins scanning.[31][32] Variants of Sasser, such as Sasser.B, maintain the core propagation strategy but introduce minor modifications, including the use of avserve2.exe as the payload filename and alternative mutex names like "Jobaka3" to prevent multiple infections on the same host. This design avoids mass-mailing or social engineering tactics, allowing the worm to spread silently across local networks and evade early detection by antivirus tools focused on email vectors. The propagation remains confined to direct network exploits, with no reliance on external hosts beyond infected peers for payload distribution.[31][32]

Payload Execution

Upon successful exploitation of the stack-based buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS), the Sasser worm executes its payload on the infected system. The worm copies its binary to the Windows system directory, typically as avserve.exe for the initial variant, and establishes persistence by adding a registry key under HKLM\SOFTWARE\[Microsoft](/page/Microsoft)\Windows\CurrentVersion\Run to launch the file on startup.[31][32] To avoid multiple concurrent executions, it creates a mutex named "Jobaka3l".[31] The process disguises itself by running under the name lsass.exe in the %System% directory, mimicking the legitimate LSASS service.[31] The core payload behavior centers on propagation, with the worm spawning up to 128 threads to generate random IP addresses and probe TCP port 445 for vulnerable hosts.[32] Upon identifying a susceptible system, it triggers another buffer overflow to deploy shellcode that instructs the target to connect to the infected machine's FTP server on TCP port 5554, downloading and executing a copy of the worm.[32] Additionally, the payload opens a backdoor listener on TCP port 9996, enabling remote shell access for command execution.[32] The worm lacks capabilities for data exfiltration, encryption, or other destructive actions beyond facilitating its spread.[1] Variants of Sasser exhibit minor differences in payload execution while retaining the fundamental propagation and backdoor mechanisms. Sasser.A, the original variant, integrates code that leads to frequent system shutdowns approximately every minute due to repeated LSASS crashes induced by the worm's activity.[30] In Sasser.B, the file is named avserve2.exe with an alternate mutex "Jobaka3", and it creates additional temporary files like _up.exe in the system32 directory.[32] Sasser.C, D, and E introduce variations such as increased thread counts (e.g., 1024 in C), different file names (e.g., SKYNETAVE.EXE in D), and enhanced backdoor features for remote control in E, but all prioritize scanning and infection over other payloads.[31]

Effects

System Disruptions

The Sasser worm primarily disrupted infected systems by exploiting a vulnerability in the Local Security Authority Subsystem Service (LSASS), causing the lsass.exe process to crash repeatedly.[31] This crash triggered automatic system shutdowns, often accompanied by error messages indicating the termination of lsass.exe with status code -1073741819.[33] On Windows XP systems, infections led to continuous reboots, while Windows 2000 machines typically crashed once before displaying a shutdown warning.[32] Infected computers displayed prominent error dialogs, such as "The system process ‘C:\Windows\System32\lsass.exe’ terminated unexpectedly with status code -1073741819. Click OK to shut down the system," followed by a 60-second countdown timer before reboot.[34] Users could temporarily abort these shutdowns using the command "shutdown -a" in the Run dialog, but the cycle resumed shortly after.[34] Beyond crashes, the worm's propagation mechanism consumed significant system resources, launching up to 128 scanning threads to probe random IP addresses for vulnerable hosts, resulting in high CPU usage and overall performance degradation.[31] This scanning activity slowed down infected machines even when not actively crashing, rendering them unresponsive for tasks like web browsing or file access. Servers experienced amplified effects, as repeated reboots denied services to connected users without warning.[32] Although disruptive, Sasser did not cause permanent data loss or file corruption, preserving user files but interrupting ongoing work through incessant reboots and slowdowns.[31] The payload's exploitation of LSASS during infection directly initiated these crashes, as detailed in the technical analysis of its execution.[31]

Network Consequences

The Sasser worm generated substantial outbound scanning traffic by spawning 128 concurrent threads on infected systems, each probing random IP addresses on TCP port 445 to identify vulnerable Windows machines via the SMB protocol.[32][31] This multi-threaded approach allowed scans at rates exceeding 200 addresses per second, resulting in excessive network traffic that consumed significant bandwidth and induced denial-of-service-like effects in local networks, particularly those with limited connectivity or high concentrations of unpatched hosts.[32] In environments such as home or small office setups, this scanning activity often slowed Internet access to a crawl as the worm prioritized propagation over normal operations.[17] In enterprise settings, Sasser's propagation created rapid infection chains through horizontal spread within local subnets, exploiting default trust relationships and homogeneous configurations of Windows XP and 2000 desktops.[35] An infected device, such as a notebook brought from home, could quickly compromise multiple internal systems by leveraging the LSASS vulnerability, amplifying disruptions as the worm replicated exponentially across interconnected segments without requiring user intervention or email vectors.[32] This intra-network diffusion strained core infrastructure, with simulations indicating potential saturation of 100 Mbps links in test environments due to the worm's aggressive scanning and file transfer mechanisms.[35] Network security systems experienced spikes in alerts from firewalls and intrusion detection systems (IDS) triggered by the anomalous SMB traffic patterns on port 445, including repeated null session probes and SYN packets to random destinations.[32] Administrators responded by isolating the port at perimeter firewalls or using tools like Snort to log and block the suspicious connections, which helped contain the outbreak but required vigilant monitoring to distinguish worm activity from legitimate file-sharing.[36] Some organizations temporarily segmented subnets to limit lateral movement, reducing the overall propagation speed within their infrastructure.[32] The worm's payload, which forced system reboots on vulnerable hosts every few minutes, created secondary network vulnerabilities by intermittently exposing ports during the restart process, potentially allowing opportunistic infections from other threats amid the heightened scanning chaos.[32] This reboot cycle further exacerbated bandwidth strain as recovering systems immediately resumed scanning, prolonging the denial-of-service conditions until patches were applied.[17]

Impact

Global Infection Scale

The Sasser worm reached a peak infection level of between 500,000 and 1 million computers worldwide in early May 2004, primarily targeting unpatched Windows XP and 2000 systems.[3][37] Early detection occurred in Asia shortly after its emergence on April 30, 2004. Geographically, the worm's spread was uneven but extensive, with hotspots in Asia, Europe, the United Kingdom, and the United States. Taiwan experienced particularly heavy early infections, disrupting numerous systems before patches were widely applied. In the UK and parts of Europe, corporate and public sector networks saw significant compromise, while the US reported widespread impacts across various sectors. Developing regions faced prolonged exposure due to slower adoption of security updates, contributing to persistent infections beyond the initial outbreak. In scale, Sasser's global reach was comparable to the Blaster worm from 2003, which affected over 1.4 million systems, though Sasser's network scanning mechanism enabled a faster initial propagation rate.[38] By mid-May 2004, infections declined sharply following the deployment of Microsoft patches and antivirus signatures, reducing active cases to minimal levels in most areas.[39]

Economic and Operational Costs

The Sasser worm inflicted substantial economic losses worldwide, with estimates varying widely; one assessment placed the total cost at over $500 million, though other reports suggested claims as high as $18 billion were likely exaggerated given the infection rate.[40][9] These figures encompass lost productivity, emergency IT remediation, and operational downtime across businesses and public sector entities, amplified by the worm's rapid spread, which peaked at infecting up to 1 million systems within days.[5] Operational disruptions underscored the worm's practical toll on critical infrastructure. In Taiwan, the national postal service reported infections on 1,600 workstations, compelling over 400 of its 1,200 branch offices to revert to manual operations and causing mail processing delays that incurred millions in lost efficiency and revenue.[4] Similarly, in the United States, up to 500 hospitals in New Orleans experienced system shutdowns for several hours, halting administrative functions and patient services, while social and health services in Washington state faced comparable interruptions.[41] Rail networks were also affected, with the worm slowing train operations in Australia by disrupting signaling systems and communications between drivers and control centers.[42] In the longer term, the Sasser outbreak exposed systemic shortcomings in patch management, as the exploited LSASS vulnerability had been addressed by a Microsoft patch released weeks earlier, yet many organizations failed to apply it promptly.[1] This led to heightened cybersecurity investments, with industry analysts urging businesses to allocate additional budgets to bolster defenses against similar threats.[43] Regarding insurance and liability, affected firms pursued damage claims, with prosecutors documenting 143 plaintiffs seeking approximately $157,000 in compensation related to the worm's impacts, though these were primarily directed at the creator rather than vendors.[10] No significant class-action lawsuits materialized against Microsoft, but the event prompted faster issuance of security advisories to mitigate future vulnerabilities.[44]

Response and Remediation

Vendor Patches

Microsoft released Security Bulletin MS04-011 on April 13, 2004, which detailed the Local Security Authority Subsystem Service (LSASS) buffer overflow vulnerability exploited by the Sasser worm and provided comprehensive guidance on the associated risks, exploitation methods, and patch deployment strategies.[28] The bulletin accompanied the release of patch KB835732, a critical security update that addressed the LSASS vulnerability across affected Windows platforms including Windows XP, Windows 2000, and Windows Server 2003.[28] This patch was distributed automatically through Windows Update, enabling seamless application for users with the service enabled, thereby preventing infection by blocking the remote code execution pathway used by Sasser.[28] In parallel, antivirus vendors responded swiftly to the worm's emergence on April 30, 2004, with Symantec documenting the initial variant and releasing detection signatures in its W32.Sasser family by early May, allowing real-time scanning and quarantine of infected systems.[45] Similarly, McAfee and other major providers updated their engines to identify Sasser variants swiftly after the worm's emergence in late April 2004, through signature-based heuristics targeting the worm's propagation code and payload. Microsoft complemented these efforts by issuing a dedicated Sasser Worm Removal Tool on May 2, 2004, integrated into its broader Malicious Software Removal Tool framework, which scanned for and eradicated Sasser infections while recommending subsequent patching.[46] To curb Sasser's spread during the outbreak, Microsoft advised temporary firewall rules to block inbound and outbound traffic on TCP port 445, the primary vector for the worm's network scanning and exploitation attempts, as a workaround until patching could be completed.[28] Additionally, the company emphasized establishing enforced patch cycles and automated update mechanisms to proactively address unpatched vulnerabilities, reducing the window of exposure for future threats like Sasser.[47]

Detection and Removal Methods

Detection of the Sasser worm typically involves monitoring for specific symptoms and network behaviors indicative of infection. Infected systems often exhibit system instability, including frequent crashes of the LSASS.exe process, leading to error messages and automatic shutdown loops with a 60-second countdown. Administrators can identify active infections by checking for anomalous processes such as avserve.exe or variants like avserve2.exe running in Task Manager, unusual outbound traffic on TCP ports 445, 5554, and 9996 via tools like netstat, or the presence of log files such as C:\win.log containing scanned IP addresses.[31][48][1] Manual removal requires careful steps to terminate the worm's execution and eliminate its components, suitable for advanced users. First, disconnect the system from the network to prevent further spread. Use Task Manager to end the worm's process, such as avserve.exe, then delete the associated executable files from the %Windir% directory, including avserve.exe and any variants like 12345_up.exe. Next, edit the Windows Registry using regedit.exe to remove the entry under HKEY_LOCAL_MACHINE\SOFTWARE[Microsoft](/page/Microsoft)\Windows\CurrentVersion\Run that launches the worm, typically named "avserve.exe" with the value "%Windir%\avserve.exe". Finally, restart the system in Safe Mode if necessary and verify removal by rescanning for residual files.[31][48] Automated tools provide a simpler alternative for detection and removal, particularly for variants of the Sasser family. Microsoft released a dedicated Sasser.A and Sasser.B Worm Removal Tool in 2004, which scans for and eliminates the worm's files and registry entries; modern systems can use the Windows Malicious Software Removal Tool (MRT) or Microsoft Defender Antivirus, which detects Win32/Sasser through signature-based and heuristic methods. Third-party antivirus software, such as Symantec's W32.Sasser Removal Tool or F-Secure products, also effectively identifies and quarantines infections by targeting the worm's payload files like avserve.exe. Running a full system scan in Safe Mode is recommended after downloading these tools from official sources.[1][48][31] Post-removal prevention focuses on securing the system against reinfection, as the worm exploits unpatched vulnerabilities. Apply the Microsoft Security Bulletin MS04-011 patch to address the LSASS buffer overflow, enable a personal firewall to block inbound connections on port 445, and configure network gateways to restrict traffic on ports 5554 and 9996. Regular antivirus scans and keeping software updated further mitigate risks from Sasser variants.[31][48][1]

Legal Proceedings

Investigation

The investigation into the Sasser worm began shortly after its detection on April 30, 2004, with authorities launching formal probes in early May amid its rapid global spread, which disrupted systems worldwide.[49] German police in Hannover, Lower Saxony, led the effort, collaborating closely with Microsoft, whose security team provided critical technical analysis of the worm's code and behavior in controlled lab environments.[49] Due to the worm's international impact, the probe involved the FBI, U.S. Secret Service, and Interpol to facilitate cross-border information sharing and coordination between U.S. and German investigators.[49][50] A key breakthrough came from forensic code analysis, which revealed strong links between Sasser and the earlier Netsky worm family through shared programming techniques, such as identical algorithms for random number generation and common subroutines for interacting with Windows systems.[51] Further examination uncovered embedded messages in Netsky variant AC (released April 28, 2004), where the author claimed responsibility for Sasser and included matching source code snippets, attributing both to the "Skynet" group and narrowing the origin to Germany based on linguistic and stylistic clues in the code strings.[51] This connection implicated the same perpetrator in all 30 Netsky variants dating back to February 2004, allowing investigators to focus on digital footprints like IP address logs from infected machines, which traced propagation patterns to the Rotenburg an der Wümme area in Lower Saxony.[49][51] On May 5, 2004, informants from Lower Saxony contacted Microsoft investigators in Munich, providing details on a suspect in exchange for the company's $250,000 reward offered under its antivirus reward program.[49] The tip originated from a fellow pupil at the suspect's vocational school, identifying 18-year-old high school student Sven Jaschan from Waffensen as the likely author based on his known interest in virus writing.[11] German police acted swiftly, arresting Jaschan at his home on May 7, 2004—seven days after Sasser's launch—after verifying the leads through additional code tests and network traces.[49]

Arrest and Conviction

Sven Jaschan, the author of the Sasser worm, was arrested on May 7, 2004, at his home in northern Germany shortly after confessing to authorities about creating and releasing the malware.[52] As a German resident, Jaschan faced no extradition proceedings, with the investigation led by local police in cooperation with Microsoft, which had offered a $250,000 reward to informants.[53] Jaschan's trial took place in Verden, Germany, beginning on July 5, 2005, where he was charged with computer sabotage, disrupting public services, and illegally altering data—offenses that could carry up to five years in prison for an adult.[11] Already 19 years old at the start of the proceedings, Jaschan was tried as a juvenile due to his age at the time of the offense.[52] He admitted guilt during the trial, which concluded on July 8, 2005.[54] On July 8, 2005, Jaschan received a suspended sentence of 21 months' probation, 30 hours of community service at a local hospital or retirement home, and a criminal record, avoiding jail time owing to his youth, cooperation with investigators, and lack of profit motive.[53] Following his arrest, Jaschan was hired as a security consultant by the German firm Securepoint in September 2004, where he contributed to antivirus development.[55] The case marked one of the earliest high-profile prosecutions of a juvenile malware author in Europe, highlighting leniency for young offenders while establishing precedents for handling similar cybercrimes involving minors.[56]

References

  1. Win32/Sasser threat description - Microsoft Security Intelligence
  2. Everything you need to know about the Sasser worm - Tech Monitor
  3. Sasser's toll likely stands at 500,000 infections - CNET
  4. Technology | Sasser net worm affects millions - BBC NEWS
  5. Sasser worm hits up to 1m computers | Business - The Guardian
  6. https://www.cnn.com/2004/TECH/internet/05/03/sasser.worm/index.html
  7. Authorities: Teen confesses to creating 'Sasser' - NBC News
  8. Sasser creator confesses - The Sydney Morning Herald
  9. The Top 10 Worst Computer Viruses in History | HP® Tech Takes
  10. Sasser worm creator charged with sabotage - NBC News
  11. Court hears how teenage introvert created devastating computer ...
  12. German Teen Arrested For Sasser - CBS News
  13. Microsoft to Pay Reward to Sasser Worm Informants - Source
  14. Creator of 'Sasser' Worm Gets Suspended Sentence
  15. Net-Worm.Win32.Sasser - Kaspersky Threats
  16. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FSasser
  17. Security Lessons Learned from 'Sasser' - ABC News
  18. Sasser computer worm wriggles worldwide - New Scientist
  19. [PDF] W32.Sasser.B Incident - GIAC Certifications
  20. Technology Briefing | Internet: Teenager Charged In Computer Virus ...
  21. Sasser mastermind may have done it for Mom - CNET
  22. Experts weigh Sasser-Netsky worm connection - Computerworld
  23. May 2004 - F-Secure
  24. Netsky authors possibly penned Sasser - CNET
  25. FBI — Catching a Cyber Saboteur - FBI.gov
  26. Sasser Worm Suspect Confesses - WIRED
  27. Sasser author admits guilt - The Register
  28. Microsoft Security Bulletin MS04-011 - Critical
  29. CVE-2003-0533 Detail - NVD
  30. Worm:Win32/Sasser.A threat description - Microsoft
  31. Net-Worm:W32/Sasser | F-Secure
  32. Sasser Worm Local Security Authority (LSA) exploit - Smallvoid.com
  33. Technology | New victims for Sasser net worm - BBC NEWS
  34. Worm damage minimization in enterprise networks - ScienceDirect
  35. Sasser Worm Snakes Into Windows | WIRED
  36. Sasser Plays Havoc Worldwide - WIRED
  37. ACM Ubiquity - Some Notes on Malware
  38. Digital Library: Communications of the ACM
  39. 'Sasser' infections begin to subside - NBC News
  40. Cost of Sasser is $500m and counting… - ZDNET
  41. Technology | Home users hit by Sasser worm - BBC NEWS
  42. Security of railway control systems: A survey, research issues and ...
  43. Sasser ups cost of Windows - Gartner - The Register
  44. https://www.abcnews.go.com/Technology/story?id=97285&page=1
  45. March/April 2004 Newsletter
  46. [PDF] Retrospective / Proactive Test May 2004 - AV-Comparatives
  47. Microsoft Joins Law Enforcement to Track Perpetrators of Emerging ...
  48. Microsoft Reinforces Commitment and Action To Help Improve ...
  49. Advisories - W32.Sasser Worm - MyCERT
  50. Brad Smith: Teleconference with International Reporters on Sasser ...
  51. Microsoft Reward Program Helps Lead to Information Resulting in ...
  52. Experts weigh Sasser – Netsky worm connection - InfoWorld
  53. No jail time for worm's creator - The New York Times
  54. Sasser Worm Creator Avoids Lockup - WIRED
  55. German court convicts Sasser worm creator - NBC News
  56. Security firm looks to hire alleged Sasser author - CNET
  57. Punishment Inconsistent for Convicted Hackers - TechNewsWorld
User Avatar
No comments yet.