Four Versions of Sasser Worm Spreading Chaos

Four variants of Sasser, the first major worm to exploit flaws patched by Microsoft's huge security bug fixing patch last month, were wreaking havoc on computer networks as of mid-day Tuesday.

Sasser attempts to exploit the LSASS Vulnerability, one of 14 security flaws patched with Microsoft security bulletin MS04-011 on April 13. The release of a security bulletin is often the starting line of a race between users and administrators patching machines and worm writers trying to exploit the new flaws.

Sasser spreads by scanning randomly selected IP addresses of vulnerable systems. Sasser can infect Windows 2000 and Windows XP machines, generally causing them to crash. While it can't infect Windows 95/98/Me, the worm can run on those platforms and so overtax the machines that they become unusable.

On a five-point severity scale, with five representing the most serious problems, Symantec rated Sasser.B a four, Sasser.A a three, Sasser.C a two and Sasser.D a two.

Meanwhile, researchers at Panda Software found that from Saturday to Monday, Sasser.A or Sasser.B were causing the most infections of any virus. At a peak on Sunday, Sasser.B accounted for 24.4 percent of virus infections and Sasser.A accounted for 15.8 percent. By Tuesday, Netsky.P was in the lead with 11.42 percent of infections -- Sasser.B was second at 8.2 percent and Sasser.A was at 4.9 percent.

"Clearly, these variants have not completed their course but it looks as if containment will probably be accomplished by the end of the week," Patick Hinojosa, CTO of Panda Software US, said in a statement. "The risk remains highest for home users who may not have the knowledge to patch their operating systems as via the Windows Update Feature that Microsoft has recommended."

Eric Schultze, chief security architect for patch management vendor Shavlik Technologies, said the Sasser worm has a similar attack profile to the infamous Blaster worm.

"If your corporation was open to it last time, unless you've made radical changes to your network, you're going to be vulnerable. If someone has a laptop at home, and they get infected, and bring it in your network's going to be infected," Schultze said. "This is an excellent time for a quarantine service."

Schultze also said the many vulnerabilities fixed in MS04-011 make it very likely that Sasser will be combined with other exploits. "Because the MS04-011 had 14 different flaws that it patched, I could see it turning into a Nimda-style worm where the worm tries several different ways to get into your network. The worm has just been exploiting the LSASS flaw and just on XP and 2000. I could see someone including this with SQL Slammer and Blaster into one humongous worm. I could see that happening, potentially by end of week," Schultze said.

Meanwhile, Microsoft announced it was working with the FBI and the U.S. Secret Service to find and prosecute the authors of Sasser and another worm called Agobot.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Deprecating Windows To Go

    Microsoft plans to put an end to its Windows To Go product in the near future, according to a Friday support article.

  • Microsoft Releases Hyper-V Server 2019 After Long Delay

    Acknowledging that the release took "way too long," Microsoft has made Hyper-V Server 2019 available for download from the Microsoft Evaluation Center page.

  • Forklift Container

    A Better Way To Upgrade Hyper-V Storage

    It's time again for Brien to perform a major storage upgrade on his Hyper-V hosts. But this time, he's taking a new approach.

  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.