EPFL Logo
fr|en
Login
Concept

Sasser (computer worm)

Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. Thus it is particularly virulent in that it can spread without user intervention, but it is also easily stopped by a properly configured firewall or by downloading system updates from Windows Update. The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin, for which a patch had been released seventeen days earlier. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS. Sasser was created on April 30, 2004. This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems. According to a report by eEye Digital Security published on April 13, 2004, this buffer overflow relies on an apparently deprecated API call to Microsoft Active Directory, which both allows for unchecked remote queries and crashes LSASS.exe if given a long string. Once on a machine, the worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445. If a vulnerable installation of XP or 2000 is found, the worm utilizes its own FTP server hosted on previously infected machines to download itself onto the newly compromised host. Microsoft's analysis of the worm indicates that it may also spread through port 139. Several variants called Sasser.B, Sasser.C, and Sasser.D appeared within days (with the original named Sasser.A). The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm. Some technology specialists have speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.

Official source
About this result
This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.
Related courses (1)
MATH-305: Introduction to partial differential equations
This is an introductory course on Elliptic Partial Differential Equations. The course will cover the theory of both classical and generalized (weak) solutions of elliptic PDEs.

Copyright © 2025 EPFL, all rights reserved

Graph Chatbot

Chat with Graph Search

Ask any question about EPFL courses, lectures, exercises, research, news, etc. or try the example questions below.

DISCLAIMER: The Graph Chatbot is not programmed to provide explicit or categorical answers to your questions. Rather, it transforms your questions into API requests that are distributed across the various IT services officially administered by EPFL. Its purpose is solely to collect and recommend relevant references to content that you can explore to help you answer your questions.