sasser

Sasser is an Internet worm that probably caused billions of dollars of damage in 2004. It was created by a Computer science student in Germany who was also behind Netsky. While there was no intentionally destructive payload, Sasser did cause many computers to slow down or crash, causing some high profile damage.

It creates and executes a script file on the target named cmd.ftp, which causes the target computer to download Sasser from a worm-created FTP server on the infecting computer. The worm will be saved to the system folder. The downloaded file will have a file name of four or five random numbers, followed by _up.exe.

Upon execution, Sasser attempts to create a mutex named Jobaka3l, which it uses to check if there is a Sasser worm already running on the system. It stops further infection if it finds one. Sasser copies itself to the Windows folder as avserve.exe. It adds the value "avserve.exe = (Windows folder)\avserve.exe" the registry key that will cause the worm to run when the system restarts. Attempts to shut down the computer may be hindered anyway, as the worm uses the AbortSystemShutdown API.

Security experts estimate that infected computers numbered in the millions. Tens of thousands of infected computers around the world repeatedly crashed and then rebooted.

The Sasser worm was created by a German student named Sven Jaschan, who was also behind the original Netsky worm. Jaschan was convicted and sentenced to a 21 month suspended sentence and 30 hours of community service.