Sasser Virus Detection

Critical Nessus Plugin ID 12219


The remote host is infected by a virus.


The Sasser worm is infecting this host. Specifically, a backdoored command server may be listening on port 9995 or 9996 and an ftp server (used to load malicious code) is listening on port 5554 or 1023. There is every indication that the host is currently scanning and infecting other systems.


Use an antivirus to clean the host.

See Also

Plugin Details

Severity: Critical

ID: 12219

File Name: sasser_virus.nasl

Version: 1.17

Type: remote

Family: Backdoors

Published: 2004/05/01

Updated: 2018/11/15

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C