New Automatic Internet Worm Spreading at Increasing Pace
Posted on 03.05.2004
F-Secure Corporation has been following the spread of the Sasser worm over the weekend of May 1st. This new worm spreads to Windows PCs automatically, even if nobody is using the PC at the time. After a machine gets infected, the worm will start to spread to other computers. As a side effect, users might see error messages and experience the computer rebooting repeatedly.

The number of affected PCs is already estimated to be in hundreds of thousands and it will continue to rise as the working week starts. "This case resembles the Blaster incident from August 2003 a lot", says Mikko Hypponen, director of antivirus research at F-Secure. "Both were automatic worms using a relatively new hole in Windows and causing frequent reboots." Together with Slammer and Sobig.F, Blaster was one of the largest virus incidents of 2003 and even caused problems to infrastructure systems such as ATM networks and train and air travel systems. "I hope administrators have improved security since then. Otherwise we might see similar problems again", says Hypponen.

Two slightly different versions of the Sasser worm were discovered on May 1st. These worms spread through the LSASS vulnerability, which was discovered in mid-April. The Microsoft patch to close the hole had been available for download for 18 days before Sasser was found. The worm is targetting Windows 2000 and XP machines - the two most common operating systems. However, the network traffic generated by the worm might slow down other systems as well, including non-Windows systems.

Corporate networks should be protected against Sasser and its variants by the corporate firewalls, separating internal networks from public networks. "We're mostly worried about Monday morning, when hordes of laptop users return to their workplaces with their machines, possibly carrying the virus behind the firewall", comments Hypponen.

For home users, the advice is simple: if you're running Windows 2000 or XP and have not updated your Windows during the last two weeks, do NOT go online without a firewall.

If your computer is already infected, you need to patch the LSASS hole first, then remove the worm - otherwise the worm could reinfect you right away. F-Secure's and Microsoft's websites have detailed instructions on how to do this.

F-Secure's Viruslab is monitoring the situation in their weblog:
http://www.f-secure.com/weblog/
Technical description of the virus:
http://www.f-secure.com/v-descs/sasser.shtml
F-Secure has released a free tool to remove the Sasser.A and Sasser.B worms. The tool is available for download from the above link.

Microsoft has more information on the incident at:
http://www.microsoft.com/security/incident/sasser.asp





Spotlight

The security threat of unsanctioned file sharing

Posted on 31 October 2014.  |  Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 31st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //