- Dave's iPAQ

05-01-2004, 03:24 PM

Senior Editor

Join Date: Jun 2002

Location: Massachusetts & Maine

Posts: 1,880

Sasser worm begins to spread

I know that I have been adding a lot of updates on spreading virus’. I have a concern that there are still folks out there that just have not kept there anti-virus software “up to date” and will end up getting “wacked”. Because most (if not all) of us still us our desktops to keep our iPAQs synced and to load new pregrams, I believe that it is appropriate for us to pass on the warning information as it arises. I am curious however as to the security that YOU are using. It would be a terrific help to us if you could post what you are using and if you find these updates valuable information for you. I have a huge respect for Robert Lemos a staff writer for CNET News.com. When he posts an article, I always read it and generally take his advice. Here is another article that he posted today.

Quote:

update A worm, dubbed Sasser by antivirus firms, was spreading slowly throughout the Internet on Saturday, taking advantage of a vulnerability in unpatched Windows systems to infect new hosts. The Sasser worm began spreading Friday night and seems to be moving at a pace far slower than previous worms such as MSBlast and Code Red, said Alfred Huger, senior director of security firm Symantec’s response team. “It is a slow burn,” he said. “It is picking up speed, but right now we aren’t seeing to much activity.” Symantec initially rated the Sasser worm as a two on its five-point scale of threats. A five is the highest danger rating on the scale. Rival antivirus firm Network Associates rated the threat a medium danger, and the Internet Storm Center, which monitors network threats, raised its general Internet danger level to yellow, essentially a medium rating as well. “Due to the release of this worm, we moved to infocon yellow for the next 24 hrs,” the Internet Storm Center site said. “The exact impact is not clear at this point.” Security experts did not know how far the worm had spread, but many companies reported some infections, said Vincent Gullotto, vice president of Network Associates’ antivirus emergency response team. “We have had 25 to 50 reports from companies that have had up to a few hundred machines infected,” he said. “One company wanted to patch this weekend, but the worm infected their network first.” The creation of the worm didn’t surprise the Internet’s security community. Security experts widely predicted that a worm would soon start spreading using that particular flaw by exploiting a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS. The Sasser worm spreads from infected computer to vulnerable computer with no user intervention required. The worm scans for vulnerable systems, creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host. The worm opens up the initial connection on a specific application data channel, or port, numbered 9996. After the worm infects the new host, the FTP server listens on port 5554 for new files. The worm uses multiple processes to scan different ranges of Internet addresses. The scans attempt to detect the vulnerable LSASS component on port 445. Microsoft has analyzed the worm and believes it also spreads through port 139. Both are data channels used by the Windows file sharing protocol and, in many cases, are blocked by Internet service providers. A team of Microsoft engineers worked through the night to analyze the worm, said Stephen Toulouse, security program manager for the software giant. “We are still studying the worm, but we do know customers that install the update are protected from Sasser,” Toulouse said. The worm will cause the LSASS component of Windows to crash, according to analyses. Infected systems will then perform a 60-second countdown before restarting. Microsoft has created a Web page telling customers how to manually clean up the worm. Antivirus firms also continue to analyze the worm.

__________________ Jack Cook Senior Editor, Dave’s iPAQ

Microsoft MVP – Windows Mobile Devices

NEW Dont forget our Podcast hotline telephone number in the US: 1-425-738-9506 available 24 hours a day 7 days a week or leave us a SKYPE Voicemail by clicking here . Also dont forget to add us to your Podcast aggregator by clicking here.

05-01-2004, 03:34 PM

Senior Editor

Join Date: Jun 2002

Location: Massachusetts & Maine

Posts: 1,880

What You Should Know About the Sasser Worm

Posted : May 1, 2004 Microsoft teams and law enforcement authorities are investigating reports of a worm, identified as W32.Sasser.worm, that is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue fixed in Microsoft Security Update MS04-011 on April 13, 2004.

From Microsoft: http://www.microsoft.com/security/incident/sasser.asp

It is recommended that you go to the Microsoft site and read the bulletin listed above

__________________ Jack Cook Senior Editor, Dave’s iPAQ

Microsoft MVP – Windows Mobile Devices

Related Posts

PowerCerv Corporation Announces Letter of Intent to Acquire Search Play, LLC

Windows XP Wi-Fi Protected Access 2 Updated Posted