Sasser Worm Sasser Virus W32.Sasser.B.Wor Sasser Patch Virus Help Sasser Sasser.B Worm Anitvirus Worm_Sasser A Worm Sasser B Fix Sasser
Sasser Worm Infections Increase by 43% during Second Day of Alert
Thursday, 6th May, 2004
WORM_SASSER was first detected on May 1, 2004, and variants A through D have been under detection since May 3, 2004, and since then, Trend Micro has regarded this worm family as high risk to computer users.
WORM_SASSER exploits the Windows Local Security Authority Subsystem Service (LSASS) vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. To propagate, this worm scans random IP addresses for vulnerable systems.
According to Trend Micro, on May 4 (for the period beginning and ending at 02:00 hrs GMT), there was a 43% increase in Sasser worm infections (counting variants A, B, C and D) compared to the same period on May 3. Notably, WORM_SASSER.C infections increased by more than 85% while WORM_SASSER.D infections increased by more than 176% during the same 24-hour period. WORM_SASSER.B and WORM_SASSER.D infections accelerated throughout the first and second half of the day. WORM_SASSER.D infections alone climbed over 90% during the last 12 hours of that day.
These increases occurred despite the raised awareness of the Sasser worms. WORM_SASSER s ability to infect systems through random IP addresses and then use each victim machine to seek out more potential victim machines means it can spread at an exponential rate. With more infected systems, the worm can accelerate its search for other systems with the LSASS vulnerability.
By working at the operating system level instead of the usual email level, this worm can simply infect without any user intervention. Those with a vulnerable PC and one that is constantly connecting to the Internet are especially at risk. The lesson learnt here is to apply critical patches and update new virus pattern files immediately whenever they are available, cautioned Ang Ah Sin, Regional Marketing Manager for Asia South Region at Trend Micro.
Coincidentally, the timing of the worms release may have been a factor in its slow start. The first variant appeared early Saturday, May 1, and three more were released over the weekend. May 3 was a national holiday for some European countries, which may have explained some of the recent increase as people returned to offices. The nation of Japan has been celebrating the annual Golden Week holiday since last week and many Japanese are expected to return to their offices today.
Trend Micro s virus activity monitoring data is collected through Trend Micro s HouseCall online scanning services, and represents a sample of infections occurring throughout the world. Housecall can be found at https://housecall.trendmicro.com.
Trend Micro customers are protected through the latest pattern file, number 885. Customers of Outbreak Prevention Services should download OPP 113 to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 335 should be downloaded to help with automated restoration of affected systems. Users of Trend Micro Network VirusWall 1200 can detect this worm through pattern #10126. The associated vulnerabilities were also described in Vulnerability Assessment pattern # 010.
Customers are recommended to apply the necessary vulnerability patches available from Microsoft to address the LSASS vulnerability.
Software Warehouse
Online Computer Stores
Online
Shopping
Online Shopping UK