New Automatic Internet Worm Spreading at Increasing Pace

F-Secure Corporation has been following the spread of the Sasser worm over the weekend of May 1st. This new worm spreads to Windows PCs automatically, even if nobody is using the PC at the time. After a machine gets infected, the worm will start to spread to other computers. As a side effect, users might see error messages and experience the computer rebooting repeatedly.

The number of affected PCs is already estimated to be in hundreds of thousands and it will continue to rise as the working week starts. “This case resembles the Blaster incident from August 2003 a lot”, says Mikko Hypponen, director of antivirus research at F-Secure. “Both were automatic worms using a relatively new hole in Windows and causing frequent reboots.” Together with Slammer and Sobig.F, Blaster was one of the largest virus incidents of 2003 and even caused problems to infrastructure systems such as ATM networks and train and air travel systems. “I hope administrators have improved security since then. Otherwise we might see similar problems again”, says Hypponen.

Two slightly different versions of the Sasser worm were discovered on May 1st. These worms spread through the LSASS vulnerability, which was discovered in mid-April. The Microsoft patch to close the hole had been available for download for 18 days before Sasser was found. The worm is targetting Windows 2000 and XP machines – the two most common operating systems. However, the network traffic generated by the worm might slow down other systems as well, including non-Windows systems.

Corporate networks should be protected against Sasser and its variants by the corporate firewalls, separating internal networks from public networks. “We’re mostly worried about Monday morning, when hordes of laptop users return to their workplaces with their machines, possibly carrying the virus behind the firewall”, comments Hypponen.

For home users, the advice is simple: if you’re running Windows 2000 or XP and have not updated your Windows during the last two weeks, do NOT go online without a firewall.

If your computer is already infected, you need to patch the LSASS hole first, then remove the worm – otherwise the worm could reinfect you right away. F-Secure’s and Microsoft’s websites have detailed instructions on how to do this.

F-Secure’s Viruslab is monitoring the situation in their weblog:
http://www.f-secure.com/weblog/
Technical description of the virus:
http://www.f-secure.com/v-descs/sasser.shtml
F-Secure has released a free tool to remove the Sasser.A and Sasser.B worms. The tool is available for download from the above link.

Microsoft has more information on the incident at: