The Sasser worm takes advantage of a recently reported Windows vulnerability.
Since the appearance of W32/Sasser.A, three new variants have been discovered: W32/Sasser.B, W32/Sasser.C and W32/Sasser.D. These variants all behave in a similar way to W32/Sasser.A and are detected by F-Prot Antivirus using virus signature files dated 3 May 2004 and later.
W32/Sasser.A started spreading early in the morning of Saturday 1 May 2004 and was quickly detected by FRISK Software virus analysts. This worm has gained wide distribution in a short period of time and has, as a result, been classified as high risk by FRISK Software's virus experts.
W32/Sasser.A is a self-executing worm that spreads by taking advantage of a LSASS vulnerability in Windows that was first reported on 13 April 2004 in Microsoft Security Bulletin MS04-011. The worm infects systems running Windows XP and Windows 2000.
The worm does not spread via e-mail and needs no user action in order to propogate. Instead, it spreads directly from one networked computer to another by taking advantage of the aforementioned vulnerability and instructing unpatched systems to download and execute the worm's code. This technique, combined with the fact that many users have yet to update their systems, has allowed the worm to spread considerably in a relatively short period of time.
After updating the virus signature files, users should scan their whole system with the F-Prot Antivirus OnDemand scanner to ensure that their computer security was not compromised before the virus signature files were updated.
The latest versions of F-Prot Antivirus detect W32/Sasser.A using virus signature files dated 1 May 2004 or later.
More informationFrom FRISK Software:
- W32/Sasser.A details
"Microsoft reports the discovery of serious Windows vulnerabilities" - 14 April 2004.
- Microsoft Security Bulletin MS04-011
- "What You Should Know About the Sasser Worm and Its Variants" - 1 May 2004.