PandaLabs in the Hunt for the Authors of the Sasser Worms

– Using forensic IT techniques, PandaLabs is collecting clues that could lead to the arrest of the authors of the Sasser worm

– Given the modus operandi of these virus authors, a new and extremely dangerous virus is expected to appear over the weekend

– More companies and institutions are reporting that they have felt the effects of Sasser. These include the government of Hong-Kong and American Express in the USA

– Users are advised to keep their guard up and to install the patch released by Microsoft to fix the LSASS vulnerability, if they have not already done so

While the Sasser worms continue looking for new victims to infect, the hunt for their creators has started. By applying proprietary forensic IT techniques to the code of these worms, PandaLabs will look for clues that could lead to the arrest of their authors.

“Letting viruses loose is a crime that should be investigated. The authors of Sasser must also be treated as particularly dangerous criminals, as evidence suggests that they also created the Netsky worms, and who knows how many other viruses,” says Luis Corrons head of PandaLabs.

The clues to the authors of computers viruses are hidden in the source code, lines of special characters that to the untrained eye don’t make any sense, but that can disclose a lot of information to the experts at PandaLabs. “Virus authors usually have delusions of grandeur and therefore don’t miss any opportunity to leave their mark in the viruses they create. However, this is often their undoing: it can be a date, the name of a city, a reference to a friend or girlfriend, etc., the slightest clue could be the key to detaining the author of the virus,” explains Corrons.

However, until these delinquents are caught, users should continue to keep their guard up against the highly probable appearance of new viruses. Considering how the previous attacks were carried out, it is likely that the authors of the Sasser and Netsky worms are putting the final touches to an extremely dangerous malicious code that -as they have done up until now- they will unleash at the weekend.

More companies and institutions are reporting that they have felt the effects of Sasser in one way or another. These include Heathrow airport in London, where one of the terminals was brought to a standstill, some governmental departments in Hong Kong, as well as the Suntrust Bank and American Express in the USA.

To mitigate the effects of the Sasser epidemic, Panda Software has made its PQRemove tools available to users. These applications not only disinfect computers but also restore system configurations altered by the worm.

One of the PQREMOVE tools is specifically designed for networks, and removes Sasser and all its variants from any network that could have been affected. Click here to access it. The other PQREMOVE applications can disinfect any computer attacked by any of the variants of the Sasser worms. Click here to access them.

User can detect and disinfect the new worm with an up-to-date antivirus, but it is important to install the Microsoft patch to ensure that Sasser doesn’t re-infect computers. The vulnerability exploited by this worm was reported by Microsoft recently in bulletin MS04-011, along with the patch. Panda Software has made the updates necessary to its products available to clients.

Don't miss