admin
05-02-04, 06:23 PM
Sasser Worm
A new Internet worm is spreading worldwide and has probably already infected millions of computers, a Finnish anti-virus expert said
The Sasser worm can infect any computer that is switched on and connected to an Internet service provider, and unliked most other worms or viruses is not spread by email, said Mikko Hyppoenen, head of anti-virus research at the Finnish Internet security firm F-Secure.
"This is one of few worms that spreads automatically. It is enough for your PC to be on," he told AFP in a telephone interview from Helsinki.
The worm typically shuts down the computer then automatically re-boots it, repeating the procedure several times. Hyppoenen said computers behind a firewall should be spared from the attack.
He stressed that the worm, while inconvenient, was otherwise harmless and other experts said it was relatively simple to destroy.
"This worm does not have any criminal intentions, unlike the Bagle and Sobig viruses we saw earlier (this year) which took control of computers by opening back doors to send spam. Sasser doesn't do anything," he said.
"The Blaster virus in August 2003 infected millions of computers... this time there could possibly be more computers infected," Hyppoenen added, however.
Hyppoenen said experts did not yet know who was behind the attack but suspected that it was teenage hackers out to have some fun.
"It was probably some hobbyist, a teenager who has the skills and wants to show off," he said.
Sasser was first observed at 0001 GMT Saturday, and was infecting computers that had not installed the latest Microsoft software update in the past 18 days.
Installing the patch fixes the problem, but many users may find that difficult because their computer keeps on shutting down, Hyppoenen said.
He expected the number of computers affected by the worm to increase dramatically on Monday, when employees who had worked on laptop computers at home over the weekend returned to work and hooked them up to the office network.
The antivirus company Symantec said on its website that Sasser spreads by scanning Internet computers for "vulnerable systems" -- computers that were permanently connected to their Internet service provider.
It was first spotted on Friday, and Windows 2000 (news - web sites), Windows Server 2003 and Windows XP (news - web sites) were the exposed operating systems. Other Windows systems, Linux (news - web sites) and Macintosh (news - web sites), among others, were not affected.
Symantec described Sasser's geographical distribution late Saturday as "low" and classified the threat containment and removal as "easy."
Details of how to eliminate the bug are on (http://securityresponse.symantec.com).
"The Sasser worm spreads in a similar way to last year's serious Blaster outbreak, in so much as it travels via the Internet exploiting security holes in Microsoft's software and does not use email," said Graham Cluley, senior technology consultant for the US anti-virus company Sophos.
"At the moment it's not travelling as fast as Blaster did, but computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."
Microsoft first reported the vulnerability on April 13.
The Russian anti-virus firm Kaspersky Labs described danger level for computer users from the worm as "medium" on its website.
Since laptops are not protected by company firewall systems if used on another server than the company's, they would run the risk of being infected, and in turn infect the company's network when used Monday in the office.
Sasser is the third wave of major Internet viruses to be launched this year, after Mydoom.A, which spread in January, and Bagle.B, in February.
A new Internet worm is spreading worldwide and has probably already infected millions of computers, a Finnish anti-virus expert said
The Sasser worm can infect any computer that is switched on and connected to an Internet service provider, and unliked most other worms or viruses is not spread by email, said Mikko Hyppoenen, head of anti-virus research at the Finnish Internet security firm F-Secure.
"This is one of few worms that spreads automatically. It is enough for your PC to be on," he told AFP in a telephone interview from Helsinki.
The worm typically shuts down the computer then automatically re-boots it, repeating the procedure several times. Hyppoenen said computers behind a firewall should be spared from the attack.
He stressed that the worm, while inconvenient, was otherwise harmless and other experts said it was relatively simple to destroy.
"This worm does not have any criminal intentions, unlike the Bagle and Sobig viruses we saw earlier (this year) which took control of computers by opening back doors to send spam. Sasser doesn't do anything," he said.
"The Blaster virus in August 2003 infected millions of computers... this time there could possibly be more computers infected," Hyppoenen added, however.
Hyppoenen said experts did not yet know who was behind the attack but suspected that it was teenage hackers out to have some fun.
"It was probably some hobbyist, a teenager who has the skills and wants to show off," he said.
Sasser was first observed at 0001 GMT Saturday, and was infecting computers that had not installed the latest Microsoft software update in the past 18 days.
Installing the patch fixes the problem, but many users may find that difficult because their computer keeps on shutting down, Hyppoenen said.
He expected the number of computers affected by the worm to increase dramatically on Monday, when employees who had worked on laptop computers at home over the weekend returned to work and hooked them up to the office network.
The antivirus company Symantec said on its website that Sasser spreads by scanning Internet computers for "vulnerable systems" -- computers that were permanently connected to their Internet service provider.
It was first spotted on Friday, and Windows 2000 (news - web sites), Windows Server 2003 and Windows XP (news - web sites) were the exposed operating systems. Other Windows systems, Linux (news - web sites) and Macintosh (news - web sites), among others, were not affected.
Symantec described Sasser's geographical distribution late Saturday as "low" and classified the threat containment and removal as "easy."
Details of how to eliminate the bug are on (http://securityresponse.symantec.com).
"The Sasser worm spreads in a similar way to last year's serious Blaster outbreak, in so much as it travels via the Internet exploiting security holes in Microsoft's software and does not use email," said Graham Cluley, senior technology consultant for the US anti-virus company Sophos.
"At the moment it's not travelling as fast as Blaster did, but computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."
Microsoft first reported the vulnerability on April 13.
The Russian anti-virus firm Kaspersky Labs described danger level for computer users from the worm as "medium" on its website.
Since laptops are not protected by company firewall systems if used on another server than the company's, they would run the risk of being infected, and in turn infect the company's network when used Monday in the office.
Sasser is the third wave of major Internet viruses to be launched this year, after Mydoom.A, which spread in January, and Bagle.B, in February.