Sasser Worm

Sasser: Windows Worm That Crashed Systems Worldwide

Sasser is a computer worm that hit Windows 2000 and Windows XP systems in April 2004, exploiting a vulnerability in the LSASS (Local Security Authority Subsystem Service) to spread automatically. It caused widespread network outages and system reboots by crashing affected machines. Unlike email-based worms of the era, Sasser required no user interaction, making it one of the first major examples of automated, network-based malware propagation.

Introduction to Sasser

Sasser spread by scanning for vulnerable systems on port 445/TCP and using a buffer overflow exploit (CVE-2003-0533) to remotely install itself. Once inside, it dropped a copy of the worm and began scanning for new targets. The worm didn’t carry a destructive payload, but its instability caused systems to reboot repeatedly, making it highly disruptive, especially in sectors like transportation, healthcare, and finance.

---

1. How Sasser Works

Infection Mechanism:
Sasser scanned random IP addresses for systems with port 445 open and the LSASS vulnerability unpatched. Upon finding a target, it exploited the flaw to trigger a buffer overflow, allowing it to execute code remotely. It used FTP (port 5554) to transfer the worm to the victim’s machine.

Payload Execution:
Once installed, Sasser:

• Copied itself to the system and modified the registry for persistence
• Launched its own FTP server to help infect other systems
• Began scanning the internet for more vulnerable hosts
• Frequently caused system crashes and forced reboots due to errors in the LSASS process

It did not encrypt files or steal data—its damage came from its instability and scale.

---

2. History and Notable Campaigns

Origin and Discovery:
Sasser was released in late April 2004, shortly after Microsoft issued a patch for the LSASS vulnerability (MS04-011). The worm was created by Sven Jaschan, a German teenager who also authored the Netsky worm.

Notable Campaigns:

• Delta Airlines had to cancel flights due to system failures
• British Coast Guard operations were impacted
• Taiwan’s post offices, banks in Finland, and hospitals in Sweden were hit
• Estimated millions of computers infected worldwide
• Jaschan was later arrested and received a suspended sentence due to his age

---

3. Targets and Impact

Targeted Victims and Sectors:
Sasser affected any unpatched Windows XP or Windows 2000 machine connected to the internet. Victims ranged from home users to critical infrastructure, including:

• Airlines
• Hospitals
• Telecom networks
• Public safety agencies

Consequences:

• System instability, with LSASS crashes causing reboots every few minutes
• Network slowdowns from uncontrolled scanning
• Flight cancellations, ATM outages, and disrupted emergency services
• Long-term financial and reputational damage

---

4. Technical Details

Payload Capabilities:

• Remote execution via buffer overflow in LSASS.exe
• Worm binary copied to C:\WINDOWS\avserve.exe (or avserve2.exe)
• Creates entry in Windows registry for persistence
• Uses built-in FTP server on port 5554 to deliver payload to others
• Self-replicates without email or user action

Evasion Techniques:

• No real stealth: Sasser was noisy and easily detectable, which helped drive rapid awareness
• Operated without needing phishing or social engineering
• Used multiple threads to scan and infect rapidly
• Exploited systems in local and global ranges, spreading fast

---

5. Preventing Sasser Infections

Best Practices (Then and Now):

• Apply security patches promptly (MS04-011 in this case)
• Block port 445 at network perimeters
• Disable unused services
• Use host-based firewalls to control local traffic
• Monitor system and network logs for suspicious scanning behavior

Recommended Security Tools:

• Microsoft Baseline Security Analyzer (MBSA) (at the time)
• Modern AV and EDR tools like Microsoft Defender for Endpoint
• IDS/IPS systems to detect worm-like activity
• Network segmentation to reduce lateral movement

---

6. Detecting and Removing Sasser

Indicators of Compromise (IoCs):

• Sudden system reboots with LSASS-related errors
• FTP server active on port 5554
• Processes named avserve.exe or avserve2.exe
• Registry entries under HKLM\Software\Microsoft\Windows\CurrentVersion\Run referencing the worm
• Heavy outbound traffic on port 445

Removal Steps:

1. Disconnect infected machines from the network
2. Use Microsoft’s Sasser removal tool (released in 2004)
3. Apply MS04-011 patch immediately
4. Delete malicious files and clean registry entries
5. Reboot and monitor system behavior

Professional Help:
For organizations, widespread infections required full-scale IT response, including network isolation and emergency patch deployment. In today’s terms, this would fall under critical incident response.

---

7. Response to a Sasser Infection

Immediate Steps:

• Isolate affected systems to stop lateral spread
• Deploy patch MS04-011 to all endpoints
• Scan the network for systems with open port 445
• Conduct a post-infection audit to verify full removal

---

8. Legal and Ethical Implications

Legal Considerations:
Sven Jaschan was arrested in May 2004 and later convicted under German law. Due to his age (17 at the time), he received a suspended sentence and community service. His case raised questions about criminal liability for teenage cyber offenders.

Ethical Considerations:
Sasser didn’t steal data or profit, but it crippled critical systems worldwide. Even if not financially motivated, the worm caused real-world harm—proving that intent doesn’t always matter when it comes to malware damage.

---

9. Resources and References

• Microsoft Security Bulletin: MS04-011
• F-Secure Sasser analysis
• MyCERT Sasser advisory
• SANS Internet Storm Center: Sasser Worm Review

---

10. FAQs about Sasser

Q: What is the Sasser worm?
A 2004 Windows worm that exploited a flaw in LSASS to crash and reboot systems, spreading without user interaction.

Q: How did it spread?
By scanning IP addresses and using a buffer overflow in LSASS via port 445, then transferring itself via FTP.

Q: Did it steal data?
No—it caused disruption through instability, not data theft.

Q: Can it still infect systems today?
Only unpatched legacy systems. Modern Windows versions and patched systems are not vulnerable.

---

11. Conclusion

Sasser was a turning point in malware history. It showed that a single worm exploiting a known flaw could take down global infrastructure—without phishing, email, or file downloads. It reinforced the importance of timely patching, network hygiene, and layered defense. While outdated today, its legacy still influences how we respond to automated threats.

 

 

« Back to the Virus Information Library

« Back to the Security Center