The Sasser Worm

By | May 3, 2004

Four years after LoveLetter, there’s a new worm out, and it looks bad.

Panda Software says Sasser “has positioned itself as one of the quickest-spreading and virulent ones”. Already two variants of the worm are out, according to F-Secure.

Panda says the worm uses a trick that “means practically all Microsoft systems will be affected, making millions of computers exposed to infection by this worm virus”. This is because the worm — or its variants, it’s not quite clear to me which — use the same computer port as Windows uses to share folders and printers over the Internet. So, “large companies which have remote users that go on line via virtual networks or which work with laptops without corporate firewall protection may go online on Monday and find themselves affected by the virus even though they have the patch installed and the antivirus upgraded”, Panda warns.

Sasser makes use of a vulnerability that is about 26 days old. It can spread and execute without the user doing anything. Panda sees the worm moving faster than Blaster: Blaster affected 2.5% of computers in the first few hours of its attack, while Sasser.B is nearing 3% in just 24 hours.

If infected, the computer will restart every time the user tries to go on line, change the registry and put a file, avserve.exe, in the Windows folder or, in some cases, put a warning in a Windows menu warning of problems with LSA Shell or errors in Isass.exe. It doesn’t seem to actually do any damage to computers, or to prep itself to download something worse. But who knows?

Solution? Install Microsoft updates as soon as possible and upgrade your antivirus protection. If you think you’re infected, use the Microsoft scanning tool to check. Then again, as F-Secure points out helpfully, if you are infected, you might not make it to that page before your machine is rebooted again. If you are infected, use F-Secure’s Free F-Sasser Tool to clean the worm from your machine. You also need to install the Windows patches to prevent you from getting reinfected.

Not everyone is worried about it: F-Secure believe many larger companies have already installed the updates necessary to be protected, and says the situation is still “relatively calm”. That said, eWeek has pointed out that an early version of the Microsoft patch for this vulnerability itself caused some Windows 2000 systems to lock up. Oh, and the Microsoft website about Sasser misspells ‘Bulletin’ making me wonder for a second whether it wasn’t itself a phishing site. Tsk, tsk.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.