Sasser Worm Threat

[teegee420]

Sasser worm spreading quickly
Monday, May 3, 2004 Posted: 2:48 PM EDT (1848 GMT)

(CNN) -- Computer security experts are dealing with at least four variants of a worm that is spreading quickly through Windows operating systems.

Known as SasserA, SasserB, SasserC and SasserD, the worm is targeting Windows 2000, Windows XP and Windows 2000 and 2003 servers. Other Windows systems, including Windows 95, 98 and ME, could be indirectly affected.

"It's pretty aggressive, and it's replicating very quickly," said Steven Sundermeier, a security expert at Central Command, a computer security company based in Medina, Ohio.

In a new, cunning twist by virus writers, an e-mail in wide circulation that purportedly offers a "fix" for the Sasser worm actually infects the user's computer with a different virulent worm, known as Netsky-AC.

"It really preys on paranoia about the Sasser worm," said Graham Cluley, senior technology consultant for the computer security firm Sophos.

"The very worst thing you can do is fall for this trick by clicking on the attached file," he said.

Cluley said there may be a connection between the creators of Sasser and Netsky. He says hidden in the code of Netsky-AC is a sarcastic message directed toward antivirus companies, claiming responsibility for both.

The Sophos spokesman said the Taiwanese Post Office, the train system in Sydney, Australia, and several banks in Scandinavia have been infected by the Sasser worm.

Spreading globally

While a computer virus requires some sort of human intervention to be launched, such as opening an e-mail, a worm takes off on its own. Sasser spreads through a Windows vulnerability known as LSASS, or Local Security Authority Subsystem Service.

Sasser scans random internet protocol addresses until it finds a vulnerable system. Then it copies itself into the Windows directory as an executable file, and is launched the next time the computer is booted.

Microsoft issued a patch, or fix, for this vulnerability last week. But in large corporate computer systems, these patches can have an impact on other internal systems. That means there's often much more to do than simply install the patch to both stop the worm and make sure other computer systems are not compromised.

Users could be affected without knowing it. One symptom is that the computer may restart every time the user tries to go online. As Sasser moves from machine to machine, it is also possible to remotely take over control of a user's computer. Sasser has been spreading globally since it was detected Friday.

Safeguards

While many businesses are being affected, Sasser has also hit home users, especially those with broadband connections.

Cluley says a personal firewall should be installed by home broadband users. There are many available and some can be downloaded free from the Internet.

He also suggests automating both patches from the Windows Web site and updates from antivirus companies. With hundreds of new worms and viruses created each month, these automated programs for PCs can be effective, Cluley said.

Sundermeier said a recent trend by virus writers has been to release threats late on Fridays or on weekends, when computer network security teams are not fully staffed. He said the Netsky and Bagle worms also were launched on weekends.

Both Sundermeier and technical experts at Panda Software, based in Bilbao, Spain, said it is labor intensive for technical teams to cleanse computers of the Sasser worm.

Unlike some types of security updates and service packs issued by Microsoft that can be applied to an entire network, many companies must correct this problem unit by unit. There is some nervousness about installing systemwide patches, for fear that they might impair something else on the network.

Sometimes the patches themselves are ineffective. In the past Microsoft has issued patches to fix patches, Cluley said.

This thing infected my computer on Saturday. I discovered it because my startup monitor reported that "avserv2.exe" was attempting to register itself to be run on the next start up. I started task manager(ctrl+alt+Del)and noticed a suspicious process running called "1234_up.exe". Downloaded the latest Norton virus definitions updated on 4/30/04 and the scan didn't find this sucker yet.

I spent the better part of the weekend trying to remove this thing. I went to the windows folder and manually deleted avserv2.exe , 1234_up.exe in the system32 folder as well as a similarly named entry in the prefetch folder. Everytime I went online thereafter the same things showed up again, only "1234_up.exe" was renamed to something like "2337_up.exe". This happened several times. The worm also caused my system to shut down and restart.

Thankfully Norton updated their virus definitions today and the worm has been quarantined on my system. I also went to Windows Update and installed the latest security fixes. How I got the Sasser Worm in the first place is a little puzzling. According to a live CNN report I saw earlier you don't even have to open the infected e-mail for it to get on your PC.

Anyhow, to make a long story short, I would advise that people update their virus definitions and run a scan as soon as possible. I hope reading about my little ordeal helps at least a few of you.

[CloudBurst]

Yeah it's a worm not a email virus. Like blaster and welcha it auto replicates and spreads through security holes in the windows system and random IP addresses. Nowadays it's not just the noobs getting viruses. Just goes to show ya you should ALWAYS keep your windows updates up to date, as the security hole fix for this one was released by Microsoft in an update a month ago

[NightWing]

Like backing up. It will take longer to clean up the mess than just backup stuff or put the required updates on your system. Kind of like the Fram Oil filer ad's. Pay me now or pay me later.

[flaninacupboard]

or just running a firewall and behind a hardware router/firewall and not using outlook and not opening suspect email. by doing that i've avoided all of the big scares and i've never used windows update.

[gitreel]

and hech54 wondered why I got onto him about his refusal to use a firewall. :P

[CloudBurst]

That is true, ususally a hardware router with proper NAT'ing will 99% of the time, protect a home computer, however the problem comes into play with laptops and ultra portable computers. Say you have a laptop and spend a couple nights in a hotel and unknowingly pickup one of these viruses, then plug the laptop into your home network or even the corporate network at your job, well there you go instant virus spreading behind the firewall. Now this may not apply to everybody, but there are enough people out there with laptops and *Cough* DMZ computers in a home network to be dangerous.

[flaninacupboard]

well my laptop would also have a firewall and up to date virus killer, so should be alright...

[tgpo]

as the security hole fix for this one was released by Microsoft in an update a month ago

I thought the worm came about because they found what Microsoft patched and found a way around it. At least I think that's what I read on slashdot.

[housepig]

At least I think that's what I read on slashdot.

keep away from that site, it'll rot your brain.

[tgpo]

At least I think that's what I read on slashdot.

keep away from that site, it'll rot your brain.

Only because they mod things such as

Code:

int main()
{
printf ("You should laugh at this");
return 0;
}

They just eat up crap like that.

[MeTaLgEaRsOoTy]

------------------------------------------------------
Thankfully Norton updated their virus definitions today and the worm has been quarantined on my system. I also went to Windows Update and installed the latest security fixes. How I got the Sasser Worm in the first place is a little puzzling. According to a live CNN report I saw earlier you don't even have to open the infected e-mail for it to get on your PC.
------------------------------------------------------

^^bit slow off the mark,eh.
the windows update was posted on about the 12th-14th of april2004.
that fixed the security breach.
updated OS,firewall,norton or eq,and it wouldnt be so much of a problem.
and as for using IE ,or mail,just connecting to enabling blueyonders net connection was enough for it to affect my mates pc(which ive just spent 2 hours repairing it,to get rid of shit like this.).

[teegee420]

------------------------------------------------------
Thankfully Norton updated their virus definitions today and the worm has been quarantined on my system. I also went to Windows Update and installed the latest security fixes. How I got the Sasser Worm in the first place is a little puzzling. According to a live CNN report I saw earlier you don't even have to open the infected e-mail for it to get on your PC.
------------------------------------------------------

^^bit slow off the mark,eh.
the windows update was posted on about the 12th-14th of april2004.
that fixed the security breach.
updated OS,firewall,norton or eq,and it wouldnt be so much of a problem.
and as for using IE ,or mail,just connecting to enabling blueyonders net connection was enough for it to affect my mates pc(which ive just spent 2 hours repairing it,to get rid of shit like this.).

Yeah, maybe it was. I only update if I have to, not every time MS says I should.

[teegee420]

Here's a follow up story:

Teen Confesses to Creating 'Sasser' Worm

By CLAUS-PETER TIEMANN, Associated Press Writer

HANOVER, Germany - A German high-school student has confessed to creating the "Sasser" worm that generated chaos across the globe by infecting hundreds of thousands of computers, authorities said Saturday.

The teenager, whose name was not released, was arrested Friday in the northern village of Waffensen, where he lives with his family. In a search of the suspect's home, German investigators confiscated his customized computer, which contained the worm's source code.

"As a result of the student's detailed testimony about the viruses he spread, he has been identified clearly as the author," the state criminal office in Hanover said in a statement. Spokesman Detlef Ehrike said he is being investigated on suspicion of computer sabotage, which carries a maximum sentence of five years in prison.

After being questioned, the teenager was released pending charges.

The worm raced around the world over the past week, exploiting a flaw in Microsoft's Windows operating system.

Microsoft said informants contacted it on Wednesday, offering information about the worm's creator. The company's investigators worked with German authorities, the FBI and Secret Service agents, tracing the virus by analyzing its source code, said Brad Smith, Microsoft's top lawyer.

The company would not say how many people came forward or identify them. But in Germany, Microsoft data protection official Sascha Hanke said the informants had backed up their tip by providing part of the worm's source code.

"We can say with great certainty that these people got the source code from the author," he told reporters in Hanover. Hanke said he met in northern Germany on Thursday night with the informants, who told him who the author was.

Unlike many infections, Sasser does not require users to activate it by clicking on an e-mail attachment. Once inside, the worm scans the Internet for others to attack, causing some computers to continually crash and reboot.

The teenager told officials that his original intention was to create a virus called "Netsky A" that would combat the "Mydoom" and "Bagle" viruses, removing them from infected computers. In the course of that effort, he developed Sasser.

"The student did not give any thought to the resulting consequences or damage," investigators' statement said.

On Monday, the worm hit public hospitals in Hong Kong and one-third of Taiwan's post office branches. Twenty British Airways flights were each delayed about 10 minutes Tuesday due to Sasser troubles at check-in desks. British coast guard stations were forced to use pen and paper for charts normally generated by computer.

Sasser is known as a network worm because it can automatically scan the Internet for computers with the security flaw and send a copy of itself there.

The German government's information technology security agency said there were four versions of Sasser.

"The first version was amateurish," spokesman Michael Dickopf said. However, the others "were clearly different in the damage they caused."

Police said the German teenager was responsible for all the versions, in addition to variants of the Netsky virus.

Microsoft investigators told the informants, who had asked whether they would be eligible for a reward, that they would consider paying $250,000 if the information led to the arrest and conviction of those responsible. Smith said the arrest was a sign that such rewards work.

"We believe this is an important step forward in the industry's ability to fight malicious code on the Internet," he said.

Meanwhile, prosecutors in Stuttgart said an unemployed 21-year-old man was arrested Friday in Loerrach, on Germany's border with Switzerland, and admitted to creating a worm that goes by the names "Agobot" and "Phatbot" along with other hackers.

Prosecutors, who said they acted after receiving information from U.S. authorities, said there were no indications of any link between the man and the Sasser programmer.

[DVO]

I got som strange virus last summer and made a system restore of my computer to the way it was before it was infected. Nice feature in XP

[jtommyj]

I got som strange virus last summer and made a system restore of my computer to the way it was before it was infected. Nice feature in XP

I got a strange virus last summer too !!

Damn spring break girls.

A quick trip to the doctor got my system restored to the way it was before I got infected.

[teegee420]

Penicillin rocks!

[VCDHunter]

Sorry to drag this back on topic but -

Teen 'confesses' to Sasser worm


The Sasser worm infects computers via the internet
An 18-year-old German high school student has admitted creating the Sasser internet worm, police say.
The worm hit hundreds of thousands of computers last week, continually shutting down and rebooting them.

The teenager was arrested on Friday near the town of Rotenburg in northern Germany with the help of the FBI and Microsoft. He has now been released.

Investigators seized a number of computers and disks from his home. It is understood he was working alone.


The teenager's identity has not been released, though the German weekly Der Spiegel reported that the CIA and FBI had joined the search for a suspect known as Sven J.

He is now being investigated on suspicion of computer sabotage which under German law carries a sentence of up to five years in prison, the BBC's Tristana Moore in Berlin reports.

Different versions

"He made a confession and the experts at Microsoft have now confirmed that he was the cause of this worm," said police spokesman Frank Federau.

Police are acting on the theory that the student was acting alone, not as part of a wider network, our correspondent says.

The arrest was made after informants contacted Microsoft on Wednesday, inquiring about reward money should they turn in the man.

On Saturday, Microsoft general counsel Brad Smith said the US software giant had agreed to pay the informants if there was a conviction but did not explain how the informers got their information.

"They did not stumble upon him through technical analysis. They were aware of who he was," Mr Smith told reporters in a conference call.

In the past, Microsoft has put bounties of up to $250,000 on the heads of some of the most notorious virus writers.

Netsky gang link?

The official German IT security agency said there were four versions of Sasser, and it was not clear if the suspect was behind all of them.

The Sasser worm quickly spread worldwide after its first appearance on 1 May.

Some businesses were forced to shut temporarily so they could clear their systems and update anti-virus protection.

Hospitals, banks, airlines, government agencies and many home users were affected.

The Sasser worm attacks recent versions of Microsoft's Windows operating systems - Windows 2000, Windows Server 2003 and Windows XP.

Unlike most outbreaks, it does not require a computer user to open a file in order to be activated - it can invade a machine directly via the internet.

Experts say it apparently does no lasting harm.

But although the worst of the outbreak is over, it is thought the worm will never entirely disappear, and that future versions may be far more damaging.

But computer security experts have raised the possibility that Sasser may be connected to a previous virus called Netsky.

A police spokesman said he could not confirm whether the student was being investigated over Netsky, but experts said if there was a link, it could mark a breakthrough.

"The police may just have cracked the Netsky gang with this arrest. The whole ring may be broken wide open," said Graham Cluley, of British-based security firm Sophos.

http://news.bbc.co.uk/1/hi/world/europe/3695857.stm

I hope they nail this ****** up.

[NightWing]

No let all of the service people and companies send him the bill to fix repair and cleanup his mess.