Sasser.A Sasser.B Sasser. C & D

[ViroDoc!]

This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011.

I-Worm/Sasser.A
Installation:
When the worm is launched it copies itself as avserve.exe to Windows Directory and registers itself as avserve.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

I-Worm/Sasser.B
Installation:
When the worm is launched it copies itself as avserve2.exe to Windows Directory and registers itself as avserve2.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

I-Worm/Sasser.C
Installation:
When the worm is launched it copies itself as avserve2.exe to Windows Directory and registers itself as avserve2.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

I-Worm/Sasser.D
Installation:
When the worm is launched it copies itself as skynetave.exe to Windows Directory and registers itself as skynetave.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

I-Worm/Sasser.E
Installation:
When the worm is launched it copies itself as lsasss.exe to Windows Directory and registers itself as lsasss.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

I-Worm/Sasser.F
Installation:
When the worm is launched it copies itself as napatch.exe to Windows Directory and registers itself as napatch.exe in Run key in Windows Registry.

Spreading: internet
Worm searches IP addresses and when it finds a vulnerable computer it uses the exploit for downloading a copy of itself and its launching.

Removing:
Download and install latest Windows Patch resolving LSASS vulnerability from these pages or from Windows Update pages. You have to choose your operating system and language of your Windows.

The detected files content I-Worm/Sasser has to be deleted or use this remover.

If it isn`t possible to delete these files in Normal mode, run Windows in Safe mode (restart your computer, press and hold the F8 key during the initial Windows and choose SAFE mode option) and do following:
- move your cursor on Start bar
- press Start button -> Run -> write "regedit" without quotes
- press button OK
- please open the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- in the right column look for:
avserve.exe = %WinDir%\avserve.exe
or
avserve2.exe = %WinDir%\avserve2.exe
or
skynetave.exe = %WinDir%\skynetave.exe
or
lsasss.exe = %WinDir%\lsasss.exe
or
napatch.exe = %WinDir% apatch.exe
%WinDir% is name of your system folder (eg. WinNT, Windows)
- click by right button on the particular values and choose Delete
- close registry editor
- it`s required to delete following files:
%WinDir%\avserve.exe
or
%WinDir%\avserve2.exe
or
%WinDir%\skynetave.exe
or
%WinDir%\lsasss.exe
or
%WinDir% apatch.exe
depends on the path which was written in the registry
- Now you can restart your computer to normal mode again.

Note:
Immediately as you connect to Internet and your system isn`t updated by the latest patch from Microsoft, the virus will be activated again!

source: http://free.grisoft.com/freeweb.php/lng/us/doc/Virus+Encyclopaedia/tpl/v5/idn/086fdab66b76a000