Sasser Worm Hits Microsoft Windows Os

[george]

Sasser worm hits three leading Microsoft operating systems - experts

WASHINGTON : A new Internet worm spreading worldwide hits computers with certain Microsoft operating systems and causes no apparent damage, but closes down the operating system and sends it into a re-boot loop, two US computer security firms said.

The Sasser worm "breaks into your computer and then attempts to break into others. It chooses its victims randomly," said Alfred Huger, Senior Director of Engineering at Symantec, based in Cupertino, California.

The virus affects computers operating Microsoft Windows 2000, Windows Server 2003 and Windows XP, but not Windows 95, Windows 98, Windows Me, or Windows NT, according to Symantec.

Nor are computers using the Macintosh, Linux or UNIX systems affected, said the company.

The worm can infect Internet-connected computers, and unlike most previous viruses it is not spread by email, said Graham Cluley, senior technology consultant for Sophos, another top US software security firm.

"The Sasser worm spreads in a similar way to last year's serious Blaster outbreak," he said, traveling the Internet "exploiting security holes in Microsoft's software."

The worm is currently "not travelling as fast as Blaster did," but computers which are "not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."

Huger said the worm is particular to Microsoft software and "takes advantage of Microsoft vulnerability."

Microsoft, the Redmond, Washington-based software giant, has issued a "patch" that protects computers by "patching the hole" in the company's existing security net, and can be accessed through Microsoft's online update service.

"This worm is unlike previous ones in that it does not appear to be causing any damage to computers," said Huger. "It will slow your computer down, but there does not appear to be any direct damage to the hard drive."

Cluley said home users are especially vulnerable "because they are often not running the latest anti-virus protection, haven't downloaded the latest security patches from Microsoft, and may not be running a personal firewall," he said.

Symantec spokesman Mike Bradshaw said the Sasser worm was first discovered late Wednesday and through Saturday the company had fewer than 100 "suspicious file" reports from its customers, 21 of them from corporations.

"Right now we are not seeing it spread rapidly," he said. "These numbers are quite low. For a virus that is spreading rapidly we would expect to see about 100 reports per hour.

"But we anticipate that the numbers will grow exponentially when people start returning to work" on Monday, said Bradshaw.

Huger said the virus was started deliberately be an individual.

"Of that much we're sure," he said. "What we're not sure of is that individual's motives, because the virus is not doing any damage, and it's not installing a backdoor" which would give future access to other viruses.

"We'll just have to wait and see," he said.

- AFP

Protect your computer from Viruses and Worms!

[translator]

It's a lot less bother with linux

[francois]

PARIS (AFP) - 02/05/2004, 18H47 - Sasser was observed for the first time on Saturday at 02:00 am of Paris, infecting computers using certain versions of Windows and which had not installed the lastest patch published by Microsoft yet, which must be able to prevent the distribution of the virus, according to experts interrogated by AFP.

Sasser uses a fault in the Windows 2000, Windows operating systems Server on 2003 and Windows XP. Other Windows operating systems, or Linux and Macintosh, among others, were not touched.

Microsoft reported for the first time this vulnerability on April 13th and put on-line the patch (or corrective) suited. Details of the way of eliminating the virus are available on (http: // securityresponse.symantec.com).

But it is possible that, in certain cases, the patch contains itself a bug, as it is recognized at Microsoft, what entails difficulties to restart the computer. Microsoft warned the users of this possible failing via information supplied with the patch. " The patch was totally informed ", asserted on Sunday to AFP the engineering manager of Microsoft France, Bernard Ourghanlian.

" The installation of the patch resolves the problem, but numerous users can find the difficult operation, because during the installation of the patch the virus continues to produce its effects and the computer shutdown and reboot", admitted the responsible for the antivirus search for the Finnish company F-Secure, Mikko Hyppoenen.

The American editor of Symantec antivirus indicated on his Internet site that Sasser spread by seeking the vulnerable systems in computers connected permanently with their internet access providers, notably when they have an ADSL connection.

Symantec described on Saturday evening the geographic distribution of Sasser as "low" and qualified " as easy " the mastery and the elimination of this threat.

" The virus Sasser spreads in a similar way in the virus Blaster ", which, in summer, 2003 had provoked very important damages: " he travels by using the faults recently detected in several Microsoft software and does not use the e-mail ", explained Graham Cluley, technical responsible for the American company of antivirus Sophos.

" it does not move so fast as Blaster, but the computers which are not correctly protected with the last updates of antivirus, firewalls and the patch of Microsoft safety(security), are exposed ", according to him.

--AFP 2004-05-04

check your windows update stuff ...

update as usual

Protect your computer from Viruses and Worms!

francois

I would appreciate that soemone tells me that my post has been edited to add a link ...

not that I don't like the link, just would like to be informed!

Edited May 4, 2004 by francois

[george]

Sasser infections hit Amex, others

A number of U.S. universities also report being hit by the worm

Security experts continue to issue warnings about the Sasser Internet worm as organizations struggled to clean up the damage caused by infected hosts.

American Express Co. joined a number of U.S. universities in reporting infections from the Sasser worm yesterday, and the SANS Institute's Internet Storm Center (ISC) maintained a "yellow" warning level today despite earlier expectations that the Sasser outbreak would wind down yesterday.

Sasser exploits a recently disclosed hole in a component of Microsoft Corp.'s Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, Security Bulletin MS04-011, on April 13.

The ISC said yesterday that it was maintaining its yellow alert, indicating a "significant new threat" on the Internet due to "the continuing spread of Sasser and other malicious code targeting the MS04-011 vulnerabilities."

Among other things, modifications in new Sasser variants Sasser.C and Sasser.D, which appeared yesterday (see story), prompted the ISC to maintain the yellow alert. ISC Chief Technology Officer Johannes Ullrich had said he expected Sasser to die down yesterday and thus allow a return to the "green" status by the end of the day.

New York-based Amex experienced Sasser infections on employee desktops beginning Sunday that disrupted the company's internal networks, but they didn't affect customer services, according to Judy Tenzer, an Amex spokeswoman.

Amex refused to reveal how many computers were affected or how the worm penetrated its network, but the company said the infections were limited to employee desktops and didn't affect its critical servers.

Reports also surfaced of unexplained computer problems at other companies.

Delta Air Lines Inc. experienced technical difficulties on Saturday that forced the cancellation of some flights (see story). The computer problems began at 2:50 p.m. local time and were fixed by 9:30 p.m. that same day, said Katie Connell, a Delta spokeswoman.

Connell wouldn't comment on the cause of the problems or which systems were affected, citing a continuing investigation. Atlanta-based Delta does use Microsoft products and the Windows operating system, she said.

In Boston, colleges and universities felt the effects of the worm, according to David Escalante, director of computer policy and security information technology at Boston College in Chestnut Hill, Mass.

Around 200 machines on BC's campus network were infected with Sasser, most of them laptop and desktop computers owned by students, he said.

BC blocked traffic on Port 445, which is used by the Sasser worm to spread, before the outbreak. IT staffers are analyzing the infections, which may have come from students who brought infected laptops back onto campus from home, Escalante said.

The college's staff is also struggling with complications caused by Sasser, which causes many Windows XP and Windows 2000 machines to crash repeatedly, preventing students from logging onto the desktop and installing the appropriate software patch.

Making matters worse, students are approaching final-exam period. The Sasser outbreak prompted a run on the student computer center Saturday, with panicked students worried about the welfare of term projects and other materials on Sasser-infected machines, he said.

Other schools also faced large-scale outbreaks, including one of more than 1,000 machines at Boston University, according to a source.

Among leading financial services companies, the impact of Sasser was generally light. Companies including Citibank and Lehman Brothers Holdings Inc. had about a dozen Sasser infections each, according to a source.

Microsoft's recent decision to move from weekly to monthly software patches has raised the stakes for companies that ignore the security bulletins and updates, said Firas Raouf, chief operating officer at Aliso Viejo, Calif.-based eEye Digital Security Inc., which discovered the LSASS vulnerability.

"Now you have a handful of vulnerabilities that are addressed by a single patch, so if you don't deploy a patch, you've opened four or five doors to your network," he said.

Large companies are often reluctant to press software patches into service out of fear they will break critical applications used by employees or customers. However, waiting too long to apply a software patch exposes companies to infection by a worm or virus that takes advantage of the software hole fixed by the patch, Raouf said.

The most important thing is for organizations to have a process to handle new vulnerabilities when they're revealed so that they can act quickly to scan for vulnerable machines, test patches, deploy patches or apply work-arounds as needed, he said.

--IDG 2004-05-04

Protect your computer from Viruses and Worms!

[george]

'Sasser' worm hits Asia

TAIPEI, Taiwan - The fast-spreading "Sasser" worm ravaged 1,600 computers in Taiwan's postal service and infected hundreds more in Hong Kong, but the virus-like global attack might have been temporarily delayed Tuesday in other parts of Asia as companies and homes left their computers switched off during long holidays.

Sasser - which also struck large U.S., German and British firms - infects computers by exploiting a flaw in Microsoft Corp.'s Windows operating system. Once inside, the worm scans the Internet for others to attack, causing some computers to continually crash and reboot.

So far, Taiwan has reported the most damage in Asia. The worm snarled the postal service's computer system Monday, forcing about 430 - or one-third - of the branch offices to shift to manual service.

The island's postal service - which also offers banking services - said the worm hit 1,600, or 12 percent, of its computers, disrupting postal account transfers, remittances and withdrawals. But automated teller machines worked normally, and there was no danger of private information being leaked in the attack, the company's Web site said.

By Tuesday, the state-run firm said that service has returned to normal.

Sasser spreads faster than most viruses because it does not require users to click on an e-mail attachment to activate it. But there have been no reports of Sasser causing any permanent damage to files or machines.

In Hong Kong, Sasser wormed its way into two government departments, said Amy Tam, spokeswoman of the Information Technology Services Department. Tam, who declined to identify the infected departments, said the virus has been contained.

Computer systems at some public hospitals in Hong Kong were also affected, but most have recovered, Hospital Authority Connie Lau said. Patients' records and other data were not affected, she added.

Roy Ko, head of the government-funded Hong Kong Computer Emergency Response Team Coordination Center, said his center received 389 reports of infection between Saturday and Tuesday morning.

Individual users were worse hit than companies, which constitute about a third of the infections reported, Ko said.

Several major computer-using nations - like Japan, Thailand and India - reported little or no damage as people celebrated national holidays and left their computers off.

Japan's National Police Agency posted a warning on its Web site, expressing concern that Sasser might spread after the "golden week" holiday, which began last Saturday and ends Wednesday.

The agency urged computer users to install antivirus software and take other precautions. Computer software companies, such as Symantec, Trend Micro and Network Associates, also issued a warning.

Thailand and India were also celebrating a national holiday - the Buddha's birth - so the extent of any attack was not clear.

"We have received reports from some of our customer companies that they have been hit by the Sasser worm. But we don't know the intensity and spread of the attack in the country," said Niraj Kaushik, country manager for Trend Micro India, a subsidiary of the Tokyo-based antivirus company Trend Micro.

In Singapore, Charles Cousins, managing director of Sophos Antivirus Asia, doubted that Sasser would hit corporations as hard as the Blaster virus did last August.

Both viruses infect computers by e-mail, and Cousins said last year's experience with Blaster has made companies more cautious.

He added, "Sasser will be very frustrating for home users but unless corporations are very, very lax, it will not have an effect on them."

--AP, Agencies 2004-05-04

[rickvan]

Just use a Mac

[andy50]

i thought it was only tbgirls who had worms!

[john b good]

i thought it was only tbgirls who had worms!

Well it's been said that tbgirls have more moves than a bucketful of worms but then thinking about it that isn't exclusive to bar girls either.

From all accounts it (the virus) is winding down so hopefully it won't present too much of a problem.

From all accounts too a certain computer "expert" who has been hogging the news lately was said to have been adept at dealing with virus's (in computer systems)

[astral]

The bucket full of worms is in power in Bangkok!!

[taxexile]

i had this sasser thing over the weekend and its a nuisance to say the least, computer shuts down sometimes every 5 minutes,sometimes every 20 minutes.

took me 7 hours to download a backlog of 13mb of critical updates from microsoft that i had been too lazy to bother with before.

i will keep up to date from now on.

all fixed now.

norton was useless against this thing.

[stumonster]

tax

do you use a personal fire wall ( has your norton got one included )

if it has, do you know how it is configured? or do you rely on the XP firewall?

your anti virus will not protect you against something until is has the update file in it with the correct signature.

[taxexile]

do you use a personal fire wall ( has your norton got one included )

if it has, do you know how it is configured? or do you rely on the XP firewall?

your anti virus will not protect you against something until is has the update file in it with the correct signature.

stu, i only know what the on/off switch is. i have asked questions about firewalls but still dont understand what one is,if xp has one then i must be relying on it. the norton programme sends me messages when i log on (your protection has been updated) but i still got that sasser thing.

sorry i cant be more specific.

the windows update seems to have sorted it out now.

[BlackJack]

I was an ###### in a University 3 years back and we had loads of problems as students were continually tweaking and bringing in the latest virus on their disc's

Thailand is very slack when it comes to securing the work horse server and PC and so IT people here can expect loads of support work in the near future

I have found that a program called Zone Alarm is pretty good as each time you access a program it asks if you authorised it - simply click on yes and remember and it builds a profile of the users settings for next login

it also alerts you to who is trying to hack in and whether it is dangerous or not - if you want to check out the hacker ID it will even show you a map of where the hacker is operating from and it does a whois lookup andtells you who the ID is registered to.

Coupled with this I use CA software for anti virus - a friend who is support for the largest IT outsourcing Co in Australia put me onto it - download free for 30 days

nearly everyday i get an update file (sometimes 2)

I have loaded these files onto several office networks here and rarely get any support calls once its set up

I have no financial interests in these programs and its not an ad for them - just giving some free advise

[BlackJack]

As you can see sasser is mutating NOW there is A B C D

Name Last Modified Aliases

Win32.Netsky.AC 03 May 2004 I-Worm.NetSky.ad (Kaspersky), W32/Netsky.ac@MM (McAfee)

Win32.Sasser.A 03 May 2004 Worm.Win32.Sasser.a (Kaspersky), WORM_SASSER.A (Trend), W32/Sasser.worm (McAfee), Win32/Sasser.Worm, W32/Sasser.A (F-Secure), W32.Sasser.Worm (Symantec)

Win32.Sasser.B 03 May 2004 W32.Sasser.B.Worm (Symantec), Worm.Win32.Sasser.a (Kaspersky), W32/Sasser.B (F-Secure) , Win32/Sasser.B.Worm, W32/Sasser.worm.b (McAfee)

Win32.Sasser.C 03 May 2004 Worm.Win32.Sasser.a (Kaspersky), W32/Sasser.C (F-Secure), W32/Sasser.worm.b (McAfee)

Win32.Sasser.D 03 May 2004 Worm.Win32.Sasser.c (Kaspersky), W32/Sasser.D (F-Secure), Win32/Sasser.D.Worm, W32/Sasser.worm.d (McAFee), W32.Sasser.D (Symantec), WORM_SASSER.D (Trend)

[stumonster]

tax

here is a link that will explain Xp ' s inbuilt firewall to you, though it is probably recommended that you install a third party one as soon as possible. just make sure you disable the xp one before/when you start another.. do not have two running at the same time

http://www.microsoft.com/security/protect/...xp/firewall.asp

the recommended free firewall is zone alarm, it can be gotten here

http://www.zonelabs.com/store/content/comp...reeDownload.jsp

maybe we need george to pin a topic in this section where links to firewalls and spyware erradicators can be posted.. and then direct all members to it so as they can secure their computers effectively...

[Pink Mist]

I've got the free version of zone alarm running and so far so it appears to do the job, does anyone else have the same experience?

[A. BOOZER]

Seems to be working for me, but it might be worth utilising the free trial of Zone Alarm Pro (available for two weeks evaluation) at this time.

[francois]

hi'

with windows, I tried a few firewalls, and the best remain ZoneAlarm.

so, when on the net with windows (happens), I use ZoneAlarm Pro version 4.5.594.000.

which appears to be the latest version, I have renewed the license, it gives you one year of free update.I had 2 updates already.

you can test you firewall here :

Gypson Research Security Site

click on Shields UP link ... and go on

your machine has to be "STEALTH" 100% ...

give it a try

francois

[drbones666]

It's a lot less bother with linux

Even less with Mac OS X

[Maejo Man]

From all accounts too a certain computer "expert" who has been hogging the news lately was said to have been adept at dealing with virus's (in computer systems)

That he was, and he always used Vet anti virus, which is one of the best and quickest around. For a firewall, I would choose "Norton personal firewall" Available from Pantip for a modest 130 baht, but well worth it. I will not let anyone into an uprotected port, even loxinfo, who I might add is continually "pinging" the PCs of their subsribers. Just another infringement of privacy.

It will also give you the offending IP address, so you can see who is trying to access your computer.