Sasser Virus Detection

Critical Nessus Plugin ID 12219

Synopsis

The remote host is infected by a virus.

Description

The Sasser worm is infecting this host. Specifically, a backdoored command server may be listening on port 9995 or 9996 and an ftp server (used to load malicious code) is listening on port 5554 or 1023. There is every indication that the host is currently scanning and infecting other systems.

Solution

Use an antivirus to clean the host.

See Also

http://www.nessus.org/u?3245f88a

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-011

Plugin Details

Severity: Critical

ID: 12219

File Name: sasser_virus.nasl

Version: 1.17

Type: remote

Family: Backdoors

Published: 2004/05/01

Updated: 2018/11/15

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C