ALERT: New Virus Outbreak: W32.Sasser.B.Worm

[Harkoliar]

I suggest you guys read this one first based on CNN

http://www.cnn.com/2004/TECH/interne...orm/index.html

Quote:

(CNN) -- Computer security experts are dealing with at least four variants of a worm that is spreading quickly through Windows operating systems. Known as SasserA, SasserB, SasserC and SasserD, the worm is targeting Windows 2000, Windows XP and Windows 2000 and 2003 servers. Other Windows systems, including Windows 95, 98 and ME, could be indirectly affected. "It's pretty aggressive, and it's replicating very quickly," said Steven Sundermeier, a security expert at Central Command, a computer security company based in Medina, Ohio. In a new, cunning twist by virus writers, an e-mail in wide circulation that purportedly offers a "fix" for the Sasser worm actually infects the user's computer with a different virulent worm, known as Netsky-AC. "It really preys on paranoia about the Sasser worm," said Graham Cluley, senior technology consultant for the computer security firm Sophos. "The very worst thing you can do is fall for this trick by clicking on the attached file," he said. Cluley said there may be a connection between the creators of Sasser and Netsky. He says hidden in the code of Netsky-AC is a sarcastic message directed toward antivirus companies, claiming responsibility for both. The Sophos spokesman said the Taiwanese Post Office, the train system in Sydney, Australia, and several banks in Scandinavia have been infected by the Sasser worm. Spreading globally While a computer virus requires some sort of human intervention to be launched, such as opening an e-mail, a worm takes off on its own. Sasser spreads through a Windows vulnerability known as LSASS, or Local Security Authority Subsystem Service. Sasser scans random internet protocol addresses until it finds a vulnerable system. Then it copies itself into the Windows directory as an executable file, and is launched the next time the computer is booted. Microsoft issued a patch, or fix, for this vulnerability last week. But in large corporate computer systems, these patches can have an impact on other internal systems. That means there's often much more to do than simply install the patch to both stop the worm and make sure other computer systems are not compromised. Users could be affected without knowing it. One symptom is that the computer may restart every time the user tries to go online. As Sasser moves from machine to machine, it is also possible to remotely take over control of a user's computer. The FBI said Monday its agents are leading a task force trying to track down the origins of the worm. The bureau provided no details, saying only that its field office in Seattle had worked throughout the weekend and Monday with Microsoft representatives and agents of the Secret Service, the Internal Revenue Service, the Washington State Police, and the Seattle Police. Sasser has been spreading globally since it was detected Friday. Safeguards While many businesses are being affected, Sasser has also hit home users, especially those with broadband connections. Cluley says a personal firewall should be installed by home broadband users. There are many available and some can be downloaded free from the Internet. He also suggests automating both patches from the Windows Web site and updates from antivirus companies. With hundreds of new worms and viruses created each month, these automated programs for PCs can be effective, Cluley said. Sundermeier said a recent trend by virus writers has been to release threats late on Fridays or on weekends, when computer network security teams are not fully staffed. He said the Netsky and Bagle worms also were launched on weekends. Both Sundermeier and technical experts at Panda Software, based in Bilbao, Spain, said it is labor intensive for technical teams to cleanse computers of the Sasser worm. Unlike some types of security updates and service packs issued by Microsoft that can be applied to an entire network, many companies must correct this problem unit by unit. There is some nervousness about installing systemwide patches, for fear that they might impair something else on the network. Sometimes the patches themselves are ineffective. In the past Microsoft has issued patches to fix patches, Cluley said.

Dont stay too comfortable there guys. This new Sasser worm doesnt need anymore to be opened via email. It actually just scan's IP addresses and those people who are vunrable with the securtiy patch not installed will find themselves with a virus even if they are not using the computer.

[T-D-C]

Alot of the new viruses are spreading in this fashion. The don't rely on emails any more.

People out there are getting smarter and exploiting the holes in the Windows Operating System.

Thats why I also linked the Windows update site so everyone can get the latest security patches from Microsoft to protect them selves.

Best defence against new worms such as these is a combination of a firewall (software or hardware) and antivirus. Now days its becomming almost essential to have a firewall of some descrption.

Hope it helped!

Cheers

T-D-C

[ 05-03-2004, 09:15 PM: Message edited by: T-D-C ]

[Seraph]

Quote:

Originally posted by johnny: It doesn't effect ANYTHING if you don't open e-mails with attachments. [img]tongue.gif[/img]

If you don't know what your talking about you shouldn't go around spreading misinformation.

[Harkoliar]

johnny meant well. he didnt know there is a new variation of the virus. Some sasser virus (among a-d) is based on email. but there is one going thru based on ip address. which is a new warning.

[T-D-C]

Yeah Johnny meant well, and not many people are aware of the new emerging virus technologies that are out there. Go back 3-5 years and the only way you were getting a virus is from a floppy disk. Now days viruses almost ignore floppys so they are pretty safe.

Threads like this are just to make everyone aware and if someone gets something wrong lets not jump all over them. Just say they had the wrong info and point them towards the correct info.

[johnny]

Quote:

Originally posted by Seraph: quote: Originally posted by johnny: It doesn't effect ANYTHING if you don't open e-mails with attachments. [img]tongue.gif[/img]

If you don't know what your talking about you shouldn't go around spreading misinformation. [/QUOTE]Well, it always used to be like that, how was i supposed to know that they already improved virusses ? You just like to attack me, don't you ?

[Mack_Attack]

Quote:

Originally posted by johnny: If i didn't specifically ask for something, i don't even open attachments from people i know. They might be infected without them even knowing it. One can never be too cautious. Btw... Hey Mack, long time no see, where have you been ?

Hey Johnny, well no where really just busy with Sydney and the yard. We are in a new house and the yard needs to be done. But I was just having a look around and decided to stop in and see what has been going on with the community. Looks good.

What have you been up to lately??

[Intrepid]

I was infected by Sasser, my school and a few other schools in my city are infected, and many of my friends computers

I have since formatted, and reinstalled zone alarm, but wow this is really annoing. (i was going to format anyway, this just gave me a good reason to do it)

I don't blame microsoft, but i am getting angry with these attacks

Is shutdown the only remote operation these worms can do? why didn't the writer make it "better" or more destructive if they wanted to be really annoing

Also, ISPs are beginning to get tied up with these viruses, my connection was only 48k and now has dropped to 28k, do you think this virus will be eliminated completly? i mean msblast is still out there even now.

also thanks for the information T-D-C

[ 05-05-2004, 09:56 AM: Message edited by: Intrepid ]

[johnny]

I found this guys. It's a little program from MacAfee, called Stinger. It checks your harddrive for 41 known virusses, including the new Sasser (what a stupid name btw) virus, and automatically deletes it from your system. It also removes any trojans it happens to run into. Check it out, it's worth it.

Why do Hackers still insist on making these worms in times like these?

Return to Topic