The specific hole Sasser exploits is documented by Microsoft in its MS04-011 bulletin (CVE-2003-0533), for which a patch had been released seventeen days earlier.
[2] This worm was named Sasser because it spreads by exploiting a buffer overflow in the component known as LSASS (Local Security Authority Subsystem Service) on the affected operating systems.
According to a report by eEye Digital Security published on April 13, 2004, this buffer overflow relies on an apparently deprecated API call to Microsoft Active Directory, which both allows for unchecked remote queries and crashes LSASS.exe if given a long string.
[3] Once on a machine, the worm scans different ranges of IP addresses and connects to victims' computers primarily through TCP port 445.
The LSASS vulnerability was patched by Microsoft in the April 2004 installment of its monthly security packages, prior to the release of the worm.
Some technology specialists have speculated that the worm writer reverse-engineered the patch to discover the vulnerability, which would open millions of computers whose operating system had not been upgraded with the security update.
The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also had issues with the worm.
On 8 May 2005, an 19-year-old German named Sven Jaschan from Rotenburg, Lower Saxony, then student at a technical college, was arrested for writing the worm.