Worm 'Sasser' quickly spreading
Chicago (IL) - Sasser, a new Internet worm discovered on May 1, already has infected more than one million PCs worldwide over the weekend. According to experts, the distribution of Sasser might significantly accelerate when business work resumes Monday morning. Free virus removal tools are available from several anti virus software companies.
All major anti-virus software companies including Kaspersky, McAfee, Panda Software Symantec and Trend Micro have warned of the virus on Saturday and Sunday. Spreading throughout the world was first recorded on Saturday. According to Panda, Sasser had infected more than 3 percent of all PCs connected to the Internet - estimated to be more than 10 million computers - within 24 hours of its first detection which. Panda compared the distribution speed of Sasser to the LoveLetter virus, which first appeared on the Internet four years ago.
Sasser has the potential to set new record marks in spreading, surpassing other worms such as Blaster. The new virus exploits a security leak in Microsoft Windows described in bulletin MS04-11 , which was published on April 13 and updated on April 28. Compared to Blaster, which needed 26 days to exploit a specific security hole in Windows, Sasser was spreading within 3 days.
According to anti-virus software firms, Sasser does not travel by email, but rather through scanning IP ranges and ports 445, 5554, and 9996 of computers connected to the Internet. There was no information about the payload available on Sunday. Symantec rated the risk of Sasser as "low", but noted that the worm cause system slowdowns.
The security leak in Windows allows remote code execution. Symantec said that Sasser attempts to create a mutex called Jobaka3 and exits, if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time. The worm also copies itself as %Windir%\avserve2.exe and adds the value "avserve2.exe"="%Windir%\avserve2.exe" to the Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run". As a result the worm is activated at Windows start, uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer, starts an FTP server on TCP port 5554 to spread itself to other hosts and attempts to connect to randomly-generated IP addresses on TCP port 445.
Anti-virus companies recommend to install the patch provided in the bulletin MS04-011 and to update existing anti-virus software. Several firms offer removal tools as a free download, including Symantec and
- Daily news brief April 30
- Wi-Fi added to personal video recorder
- VIA enters handheld market
- Microsoft releases high-def audio driver
- End of the line for Red Hat Linux 9
- Sony plans to ship 3 million PSPs by March '05
- Hitachi produces new chip for mobile gaming
- The illicit trade in compromised PCs
- Lite-On IT aims to become second largest global DVD burner producer in 2004
- Mitnick busts bomb hoaxer
- 3G will 'be the norm' in 2009
- F-Secure offers free Sasser worm removal tool
- IBM rolls out Power 5-based iSeries server
- Mozilla Thunderbird for Windows 0.6 unveiled
- Asustek only mobo maker to see EPS grow on-year
- Phishing scams get savvier
- Internet2: file swapping haven?
- SCO re-affirms that Linux is unconstitutional
