Sasser Virus Detection

high Nessus Plugin ID 12219

Language:

Synopsis

The remote host is infected by a virus.

Description

The Sasser worm is infecting this host. Specifically, a backdoored command server may be listening on port 9995 or 9996 and an ftp server (used to load malicious code) is listening on port 5554 or 1023. There is every indication that the host is currently scanning and infecting other systems.

Solution

Use an antivirus to clean the host.

See Also

http://www.nessus.org/u?3245f88a

http://www.nessus.org/u?3863b7ef

Plugin Details

Severity: High

ID: 12219

File Name: sasser_virus.nasl

Version: 1.18

Type: remote

Family: Backdoors

Published: 5/1/2004

Updated: 10/21/2022

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2003-0533

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C