Sasser Worm Overview
The worm, labeled Sasser.A, has been propagating by leveraging a flaw in Microsoft Windows LSA (Local Security Authority) Service (LSASRV.DLL). This flaw was discovered by eEye Digital Security and reported to Microsoft on October 8, 2003.

The worm begins by targeting servers running versions of Microsoft Windows 2000 and XP that have not been properly patched for the vulnerability. Sasser has the ability to execute without requiring any action on the part of the user. The worm copies itself to a folder in the Windows System directory and adds a registry run key to load at system start-up, creating the value "avserve.exe"=%windows%\avserve.exe in the registry key:

HKEY_LOCAL_MACHINE\
SOFTWARE\
Microsoft\
Windows\
CurrentVersion\
Run

The Sasser worm can infect any vulnerable computer that is switched on and connected to the Internet. Unlike other worms and viruses, it is not spread by email and does not require any user action to propogate. In reported instances so far, the worm has been observed shutting down a computer then automatically re-booting it, repeating several times.

How it Propagates
Sasser scans random IP addresses for vulnerable systems. When one is found, the worm exploits the system by executing a script. This script instructs the target victim to download and execute the worm from the infected host. The infected host accepts this FTP traffic on TCP port 5554.

For an analysis of the worm please visit:
http://www.eeye.com/html/Research/Ad...D20040501.html

For complete information on the Windows Local Security Authority Service flaw (LSASS vulnerability), please visit:
http://www.eeye.com/html/Research/Ad...20040413C.html


Source : Eeye security email