We now detect this worm with our latest updates (2004-05-01_01).
The vulnerability used by Sasser is caused by a buffer overrun in the Windows' Local Security Authority Subsystem Service, and will affect all machines that are:
- Running Windows XP or Windows 2000 - Haven't been patched against this vulnerability - Are connected to the internet without a firewall
It scans random IP addresses, targeting TCP port 445.
After infection it opens a shell that listens on TCP port 9996.
And then downloads the actual worm code through a FTP connection at TCP port 5554.