Patch now or suffer Sasser

'Dark forecast' as Windows users warned of new family of viruses

vnunet.com staff, vnunet.com 04 May 2004

Microsoft customers are being urged to update their patches to protect against a family of internet worms that are spreading fast by exploiting a vulnerability in Windows.

The Sasser worms exploit the Windows Local Security Authority Subsystem Service flaw, about which Microsoft has already advised users. Four variants of the worm have been reported since 1 May.

Security software firm McAfee warned that systems are especially at risk, as the virus does not spread via email and no user action is required to propagate it. The worm simply instructs vulnerable systems to download and execute its code.

"Computers which are not properly protected with antivirus updates, firewalls and Microsoft's security patches are asking for trouble," warned Graham Cluley, senior technology consultant at antivirus firm Sophos.

Luis Corrons, a director at Panda Software, said that Sasser looked like a dangerously virulent worm.

"All these signs make for a dark forecast for the beginning of the week when it is expected that the number of incidents will soar at the start of the working day," he said in a statement.

The worm scans random IP addresses for vulnerable systems, then sends a specially crafted packet to produce a buffer overrun on LSASS.EXE. This causes the program and infected system to crash, requiring Windows to reboot.

"More infections can lead to increased network traffic and result in severe network slowdowns, like an internal denial-of-service attack," said Joe Hartmann, senior virus researcher and analyst at Trend Micro.

The worm affects Windows 95, 98, ME, NT, 2000 and XP. Customers are advised to apply the necessary patches immediately. The Microsoft patches can be found here.

See also: