WORM: Sasser A/B/C/D/F FTP Download (5554)
This signature detects successful connection attempts to a Sasser.A, B, C, D, or F FTP server running on port 5554. Sasser uses this FTP server to propagate its infection by downloading the worm binary to the FTP client. If you see this signature detected, it almost certainly means that the client has just been infected with Sasser and that the server is infected and is actively spreading this worm.
Extended Description
Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. The specific vulnerable system component is LSASRV.DLL. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise. This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk as the administrator will likely already have complete control over the system.
Affected Products
Avaya s8100_media_servers,Microsoft windows_xp_64-bit_edition_version_2003
References
BugTraq: 10108
CVE: CVE-2003-0533
URL: http://secunia.com/virus_information/9142/sasser/ http://www.lurhq.com/sasser.html
Short Name
WORM:SASSER:A-D-F-FTP-DL-5554
Severity
Major
Recommended
False
Recommended Action
Drop
Category
WORM
Keywords
(5554) A/B/C/D/F CVE-2003-0533 Download FTP Sasser bid:10108
Release Date
05/01/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/5554
False Positive
Unknown
Vendors
Microsoft
Avaya
CVSS Score
7.5