Sasser fever

brownie · May 3, 2004

Anybody suffered from this Sasser worm?

The computers at work went dead late this morning.

The Paris heaquarters of Agence France Presse were hit on Saturday evening.

From Reuters:

Technology - Internet Report

Sasser Worm Strikes Hundreds of Thousands of PCs

Mon May 3, 7:08 AM ET

By Brett Young

HELSINKI (Reuters) - A fast-spreading computer worm similar to last year's massive "Blaster" has struck hundreds of thousands of PCs globally and it remains unclear how many will be infected, a top computer security official said Monday.

Data security firm F-Secure says the worm, which surfaced at the weekend and is known as "Sasser," automatically spreads via the Internet to computers using the Microsoft Windows operating system, especially Windows 2000 and XP.

"We'll be in the dark for quite a while as to how many computers have been affected," said Mikko Hypponen, Anti-Virus Research Director at F-Secure.

"With Sasser it seems that companies are (using software) patches better and more quickly than last year (with Blaster), but for those that are hit, they are hit hard," he told Reuters, adding he believes Sasser originated in Russia.

The worm does not need to be activated by double-clicking on an attachment, and can strike even if no one is using the PC at the time. When a machine is infected, error messages may appear and the computer may reboot repeatedly.

"Compared to what happened with Blaster ... last August ... this virus has all the same features," Hypponen said, noting that both worms exploited relatively new holes in Windows and frequently caused computers to reboot.

Finnish bancassurer Sampo said Monday it had closed all of its branch offices, some 130 in all, as a precaution against Sasser.

Spokesman Hannu Vuola, however, said all of the offices would soon be reopened.

WANTED: BLASTER'S AUTHOR

Blaster infected computers around the globe. Microsoft said the virus cost it "millions of dollars of damages," and has issued a $250,000 bounty for information on the whereabouts of its author.

F-Secure said corporate networks should be protected against Sasser and its variants by firewalls -- Internet road blocks that separate internal from public networks.

For home computer users, people should make sure they have downloaded a corrective-code software patch to fix the breach. If their computer is infected, the patch must first be downloaded before the virus is removed or else the PC could catch the worm again.

F-Secure said the worm emerged 18 days after Microsoft posted the software patch on its Web site. This continues a common pattern with viruses whereby companies announce flaws in their software and hackers race to exploit them.

By Hypponen said he was not sure there was a better way for firms to alert users to problems with their software.

"There are always going to be security holes in mainstream products," he said. "Even if these are not made public, the bad boys will find out about them anyway."