Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sasser Worm Disruption Growing

Posted by CmdrTaco on from the thanks-again-microsoft dept.

thebra writes "Yet another virus is causing problems with Internet Explorer. "Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet."A removal tool can be found here."

13 of 999 comments (clear)

  1. Internet Explorer? by Anonymous Coward · · Score: 5, Informative

    Sasser doesn't affect IE.

  2. Removal tool by Mindtoy · · Score: 5, Informative

    Another removal tool made by Network ASSociates can be found at: http://vil.nai.com/vil/stinger/ I've used it on a number of a machines with no problem. It only scans files (no registry). It fits on a floppy and it's free. It'll even run on machines that already have virus protection, good if someone hasn't updated their definitions and can't get on the internet. It's updated anytime a new baddy comes out, but you have to redownload the EXE file since it doesn't check for updates.

  3. Don't blame Internet Explorer this time by joeykiller · · Score: 5, Informative

    The original poster is not correct when claiming Internet Explorer has a problem. This time it's a hole in the so called "Local Security Authority Subsystem Service" that's causing problems.

    See this and this for more details.

  4. Re:I have a question by manavendra · · Score: 5, Informative

    You mean other than scanning random IP addresses on successive TCP ports starting at 1068 and making copies of itself?

    Well, it also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

    It further makes copies of itself in the %Windows% directory.

    Oh and finally, it causes LSASS.EXE to crash, and by default this causes your system to reboot. Repeatedly.

    --
    http://efil.blogspot.com/
  5. Re:Direct? by orbit0r · · Score: 5, Informative

    What could be more "directly from the Internet" than email?

    An exploit connecting directly to port 445 of a host and not requiring any user-intervention to become infected.

  6. Re:Could Sasser possibly affect Linux? by Aliencow · · Score: 5, Informative

    You would have to run the LSASS Service under Wine...and I don't know why you would want to do that !

  7. Re:Direct? by gunnk · · Score: 5, Informative

    Email gets picked up by your email client. An email virus must then be run from the message either by opening the attachment or (for some Outlook versions) by having Outlook open it for you. Even just receiving a copy of an email virus requires that you run your email client.

    In the case of the Sasser worm, it is using an open port to crawl directly into your computer when you connect to the internet. There is no action required on the part of the user and no infected file to load. Windows simple accepts the connection and installs the worm.

    That's why worms are "more directly from the internet" than email-based viruses.

    --
    Life is short: void the warranty.
  8. Re:Windows only by Hrothgar+The+Great · · Score: 5, Informative

    People have short memories. There was an Apache worm about two years ago (in mod_ssl).

    Here is a link

    Of course, worms like that are few and far between, especially when compared to the number of Windows worms going about lately, but to claim a system is "worm free by nature"? I think that's more than a little premature.

  9. Problems are with windows, not IE by T.Hobbes · · Score: 5, Informative
    A few things:
    • It's a worm, not a virus
    • It's attacks Windows, not IE (despite Microsoft's efforts, there is still a distinction)
    • For the user, the main damage is that the infected computer will shut down; I have no reference, but shutdown loops have been reported
    • For the admin, the main damage is the flood of trafic sent out by the worm in search of new hosts
    • The worm can use Win98/WinME boxes to propegate but cannot infect those same computers

    Google cache of McAfee's page on the worm
    One of symantec's pages

  10. Re:Microsoft's "fixes" by getling · · Score: 5, Informative

    Umm...why did you install MS04-014 instead of MS04-011? Maybe you got confused, like /. about what in the world this "poorly written" worm is attacking....

    --
    "Life is tough but we're tougher. You only get what you give, so give all that you've got." --Tony LaRussa
  11. Re:Sassier *is* a virus by American+AC+in+Paris · · Score: 5, Informative
    It seems that we've been living in the land of email worms for so long that most people don't know how to deal with a real virus. Yeah, that's what they do... they spread without your help. Geez!

    No, that's inaccurate.

    Worms can spread to other machines on their own. Viruses require some external intervention (such as file sharing or e-mail) to spread to other machines. See this entry in the Jargon File for a more verbose answer.

    Now, many of the latest e-mail "worms" would be better classified as viruses or trojan horses, as they are incapable of infecting other hosts without direct user intervention (i.e., opening an attachment.) They've been (IMHO) mis-labeled as worms because they display worm-like behavior once they've infected a machine--that is, they mail copies of themselves as trojan-style attachments to other users.

    So yes, the Sasser worm is a bona-fide worm. It transmits itself to other systems without any external help.

    --

    Obliteracy: Words with explosions

  12. Auto updates and quick patches by truthsearch · · Score: 5, Informative

    Autoupdates and immediate patching aren't options for large corporate networks. Patches often break existing applications. Even after extensive testing some patches have caused more problems than they fixed. Windows Update sends enough information back to Microsoft for them to determine what's installed on our private network, so we block it from running.

    It takes weeks to test a patch and push it out. Servers often can't be rebooted until weekends. Then there are users with special situations that require manual installs. It takes time to do hundreds of installs manually. It also takes time to get the patch onto the standard corporate "build" of Windows, so for a while new computers need the patch pushed out after logging into the network the first time, leaving a gaping hole for this virus to spread.

    --
    Developers: We can use your help.
  13. Two huge gaping problems by Aslan72 · · Score: 5, Informative
    Sasser.d attacked our University last night and we noticed two particular things.

    1) Several groups were relying on SUS in order to get those patched distributed. If you go into SUS, the patches were 'approved' on one screen, not on the other. I wasn't alone in seeing this. Suffice to say, I was also a bit shocked when it started to blow through and none of my machines were protected.

    2) When it installs (sasser.d) it writes itself to 'System Volume Information' - allowing it to not get caught by NAI's on demand scanner, and re-infect the box if you don't do a C drive scan manually.

    --pete