Sasser Creator Copycats: a New Worm Has Been Discovered, Cycle.A

– Despite the arrest of the alleged creator of the virus that has caused the latest global epidemic, PandaLabs has detected a new worm, Cycle.A, which, like Sasser and its variants, uses the Windows LSASS vulnerability to spread rapidly
– In this case, the virus creator -which uses the alias Cyclone- has hidden a text on the political situation in Iran inside the virus code
– As with the Sasser worms, computers affected by Cycle.A restart every 60 seconds
– Users are advised to install the patch released by Microsoft to fix the LSASS vulnerability, if they have not already done so
– Meanwhile, the Sasser worms continue to cause incidents among computers worldwide

The arrest of the alleged creator of the Sasser worms has not been accompanied by a lull in the momentum of computer viruses. PandaLabs has detected the appearance of a new worm, Cycle.A (W32/Cycle.A.worm) which -like Sasser and its variants- exploits the LSASS vulnerability affecting some Windows versions in order to infect computers through the Internet.

The scenario has changed, however, as indicated by the text found inside the virus code. In this text, the virus creator -alias Cyclone- claims to be Iranian and refers to the social and political situation in his country. The entire content of this message can be read in ‘Panda Softwares Virus Encyclopedia.

Cycle.A tries to enter computers through communications port TCP45 in order to check if the system is vulnerable. If it is, the worm causes the affected computer to download a copy of itself called CYCLONE.EXE. However, this will only take place if the application TFTP.EXE is installed on the system.

Additionally, and regardless of whether the worm has managed to copy itself to the targeted computer, the attempt by the virus to enter the system causes a failure in the application LSASS.EXE which makes the computer restart every 60 seconds.

According to Luis Corrons, head of PandaLabs, “It was to be expected that sooner or later some other unscrupulous individual created a new virus that exploited the LSASS vulnerability. The real problem lies in the fact that the necessary code to exploit this security hole is in possession of many people who can incorporate it into their creations. Therefore, it is very likely that new variants of Sasser and Cycle, as well as other malicious codes that can act like them, will appear in the future.”

Meanwhile, the members of the Sasser worm family -which was joined yesterday by Sasser.E- continue to cause incidents on computers worldwide. In fact, Sasser.B continues to be one of the viruses most frequently detected by Panda ActiveScan, Panda Software’s free online scanner.

In order to prevent your computer from falling victim to Cycle.A, Sasser and its variants, or any other worm that exploits the LSASS vulnerability, it is necessary to install the Microsoft patch available from Microsoft. Panda Software also advises users to tighten security measures, ensure that they have a fully updated antivirus installed and keep themselves informed of any new viruses that could appear. Panda Software has made the updates necessary to its products available to clients.