The Sasser Worm

Four years after LoveLetter, there’s a new worm out, and it looks bad.

Panda Software says Sasser “has positioned itself as one of the quickest-spreading and virulent ones”. Already two variants of the worm are out, according to F-Secure.

Panda says the worm uses a trick that “means practically all Microsoft systems will be affected, making millions of computers exposed to infection by this worm virus”. This is because the worm — or its variants, it’s not quite clear to me which — use the same computer port as Windows uses to share folders and printers over the Internet. So, “large companies which have remote users that go on line via virtual networks or which work with laptops without corporate firewall protection may go online on Monday and find themselves affected by the virus even though they have the patch installed and the antivirus upgraded”, Panda warns.

Sasser makes use of a vulnerability that is about 26 days old. It can spread and execute without the user doing anything. Panda sees the worm moving faster than Blaster: Blaster affected 2.5% of computers in the first few hours of its attack, while Sasser.B is nearing 3% in just 24 hours.

If infected, the computer will restart every time the user tries to go on line, change the registry and put a file, avserve.exe, in the Windows folder or, in some cases, put a warning in a Windows menu warning of problems with LSA Shell or errors in Isass.exe. It doesn’t seem to actually do any damage to computers, or to prep itself to download something worse. But who knows?

Solution? Install Microsoft updates as soon as possible and upgrade your antivirus protection. If you think you’re infected, use the Microsoft scanning tool to check. Then again, as F-Secure points out helpfully, if you are infected, you might not make it to that page before your machine is rebooted again. If you are infected, use F-Secure’s Free F-Sasser Tool to clean the worm from your machine. You also need to install the Windows patches to prevent you from getting reinfected.

Not everyone is worried about it: F-Secure believe many larger companies have already installed the updates necessary to be protected, and says the situation is still “relatively calm”. That said, eWeek has pointed out that an early version of the Microsoft patch for this vulnerability itself caused some Windows 2000 systems to lock up. Oh, and the Microsoft website about Sasser misspells ‘Bulletin’ making me wonder for a second whether it wasn’t itself a phishing site. Tsk, tsk.

News: Wanted, Dead Or Alive: Virus Writers

 Microsoft is a mite upset, and is offering $500,000 reward to inform on the virus writers responsible for the Blaster and Sobig worms. (In August, if you recall, the Blaster-A worm infected many unprotected home and business computers, attempted to launch a denial of service attack against a critical Microsoft security update website, and, most importantly, mocked Microsoft chairman Bill Gates. The worm exploited a critical security hole in versions of Microsoft Windows. Just days later the Sobig-F worm, which spread on the Windows platform, bombarded email users around the world, clogging up email servers.)
 
Sophos, the anti-virus people, had this to say: “It’s no surprise to hear that they are fed up with this situation and prepared to offer a reward for the capture of these virus writers,” said Graham Cluley, senior technology consultant for Sophos.  “There must be people out there in the computer underground who know who is responsible for the creation of these malicious worms. Offering a total of $500,000 will be a great temptation for someone to break their silence – and do all legitimate users of the Internet a favour.”

Update: Another Blaster Suspect Arrested

 Another Blaster suspect has been arrested. Prosecutors refused to release any information about the suspect, not even the youth’s gender or home state, AP reported. The variant the juvenile allegedly created was known as “RPCSDBOT.”
 
No one yet knows who created the main version. Collectively, different versions of the virus-like worm, alternately called “LovSan” or “Blaster,” hit more than a million computers. It’s interesting the two detainees both appear to be Americans. But it doesn’t mean the author of the original was, nor does it mean their motives were the same.
 

News: Two Young Fellas Nabbed For The TK Worm

 Two young Brits have been charged in connection with the TK Worm (also known as Troj/TKBot-A), which appeared last year and caused an estimated £5.5 million worth of damage. Jordan Bradley, 20, of Bates Avenue, Darlington, and Andrew Harvey, 22, of Scardale Way, Durham, are believed by the National High Tech Crime Unit (NHTCU) to be members of a hacking group known as the “Thr34t-Krew” which launched the Trojan horse designed to break into internet-connected computers.
 
It’s something of a roll for law enforcement folks. Recently, two other young men were named in connection with variants of
the Blaster internet worm.  Jeffrey Lee Parson was arrested by the FBI in late August, and a Romanian man is believed to be assisting police with their enquiries.  Meanwhile Simon Vallor, who served nine months in prison for creating three viruses, was released yesterday.

Update: Blaster Kid

 The high school senior Jeffrey Lee Parson, arrested Friday for allegedly launching a worldwide computer virus, is a loner who drives too fast, AP quotes neighbours as saying. Court papers said FBI and Secret Service agents searched Parson’s Hopkins home on Aug. 19 and seized seven computers, which are still being analyzed.
 
 
In an interview with FBI Special Agent Eric Smithmier, Parson admitted modifying the original “Blaster” infection and creating a version known by a variety of different names, including “Blaster.B.,” court papers said.