Sassser Worm

Quote:

A new Internet worm is spreading worldwide and has probably already infected millions of computers, a Finnish anti-virus expert said

The Sasser worm can infect any computer that is switched on and connected to an Internet service provider, and unliked most other worms or viruses is not spread by email, said Mikko Hyppoenen, head of anti-virus research at the Finnish Internet security firm F-Secure.

"This is one of few worms that spreads automatically. It is enough for your PC to be on," he told AFP in a telephone interview from Helsinki.

The worm typically shuts down the computer then automatically re-boots it, repeating the procedure several times. Hyppoenen said computers behind a firewall should be spared from the attack.

He stressed that the worm, while inconvenient, was otherwise harmless and other experts said it was relatively simple to destroy.

"This worm does not have any criminal intentions, unlike the Bagle and Sobig viruses we saw earlier (this year) which took control of computers by opening back doors to send spam. Sasser doesn't do anything," he said.

"The Blaster virus in August 2003 infected millions of computers... this time there could possibly be more computers infected," Hyppoenen added, however.

Hyppoenen said experts did not yet know who was behind the attack but suspected that it was teenage hackers out to have some fun.

"It was probably some hobbyist, a teenager who has the skills and wants to show off," he said.

Sasser was first observed at 0001 GMT Saturday, and was infecting computers that had not installed the latest Microsoft software update in the past 18 days.

Installing the patch fixes the problem, but many users may find that difficult because their computer keeps on shutting down, Hyppoenen said.

He expected the number of computers affected by the worm to increase dramatically on Monday, when employees who had worked on laptop computers at home over the weekend returned to work and hooked them up to the office network.

The antivirus company Symantec said on its website that Sasser spreads by scanning Internet computers for "vulnerable systems" -- computers that were permanently connected to their Internet service provider.

It was first spotted on Friday, and Windows 2000 (news - web sites), Windows Server 2003 and Windows XP (news - web sites) were the exposed operating systems. Other Windows systems, Linux (news - web sites) and Macintosh (news - web sites), among others, were not affected.

Symantec described Sasser's geographical distribution late Saturday as "low" and classified the threat containment and removal as "easy."

Details of how to eliminate the bug are on (http://securityresponse.symantec.com).

"The Sasser worm spreads in a similar way to last year's serious Blaster outbreak, in so much as it travels via the Internet exploiting security holes in Microsoft's software and does not use email," said Graham Cluley, senior technology consultant for the US anti-virus company Sophos.

"At the moment it's not travelling as fast as Blaster did, but computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."

Microsoft first reported the vulnerability on April 13.

The Russian anti-virus firm Kaspersky Labs described danger level for computer users from the worm as "medium" on its website.

Since laptops are not protected by company firewall systems if used on another server than the company's, they would run the risk of being infected, and in turn infect the company's network when used Monday in the office.

Sasser is the third wave of major Internet viruses to be launched this year, after Mydoom.A, which spread in January, and Bagle.B, in February.

Quote:

BERLIN, Germany (CNN) -- A German teenager confessed to creating last year's Sasser worm -- which wreaked havoc on hundreds of thousands of computers -- as he went on trial on charges including computer sabotage, a court official said.

Spokeswoman Katharina Kruetzfeld told CNN that even though Sven Jaschan, 19, had admitted his guilt, the trial proceedings in the northwest German town of Verden would continue as scheduled with a verdict expected Thursday.

German police arrested Jaschan last May when he was still in high school.

The worm spread quickly when it was released earlier that month, slowing to a snail's pace computers around the world.

Users of Microsoft's Windows operating system reported that machines infected with the worm were sluggish or quit or rebooted for no reason.

Anti-virus companies estimated that more than one million personal computers were infected.

The Sasser worm did not have a malicious payload, meaning it did not destroy or alter information within a computer.

Its main irritant was that it caused significant performance degradation by dramatically slowing even the simplest of computer chores, due in part to how a worm operates.

While a computer virus requires some sort of human intervention to be launched, such as opening an e-mail, a worm takes off on its own. Sasser spread through a Windows vulnerability known as LSASS, or Local Security Authority Subsystem Service.

Sasser scans random Internet protocol addresses until it finds a vulnerable system.

Then it copies itself into the Windows directory as an executable file and is launched the next time the computer is booted. All that searching for a new "victim" slows things down across the Internet.

Jaschan told officials he intended to create a virus, "Netsky A," that would fight the "Mydoom" and "Bagle" viruses, removing them from infected computers, according to The Associated Press.

He then continuted to develop Netsky and created Sasser. Investigators said he had launched another version to limit the damage of that virus shortly before his arrest, AP added.