May 10, 2004 12:08 PM PDT

Author leaves warning in latest Sasser worm

By Robert Lemos and Dawn Kawamoto
Staff Writers, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Can Microsoft bounty end viruses?
May 10, 2004; Microsoft reward snags suspected Sasser author
May 8, 2004; Sasser's toll likely stands at 500,000 infections
May 3, 2004

Antivirus companies discovered a fifth version of the Sasser variant this weekend, within hours of German police arresting an 18-year-old man who confessed to being the Sasser worm's author.

The latest variant, Sasser.E, was released a week ago, according to Microsoft. It attempts to warn people whose computers are vulnerable that their systems have not been patched for a widespread Microsoft Windows vulnerability exploited by the program.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"It appears that whoever released it is trying to notify people that their systems are vulnerable," said Oliver Friedrichs, a senior manager in Symantec's security response center. The security company first captured a copy of the worm at 1 a.m. on Sunday, but Friedrichs said the spread of the infection is moving slow enough to indicate that the worm could have been released earlier in the week.

German authorities arrested an 18-year-old resident of Waffensen, a small town in the Lower Saxony region of Germany, late on Friday, according to Microsoft, which tipped off authorities after informants came forward with details about the suspected Sasser author. German law enforcement forces believe that the suspect also coded all 28 versions of the mass-mailing computer virus NetSky.

While antivirus experts are not positive whether Sasser.E started spreading before or after the arrest, Microsoft believes that the fifth version of the worm was released four days before the teenager was arrested, according to a representative of the software giant.

"Microsoft's technical analysis of this variant indicates that the E variant was released on Monday, four days prior to the suspect being taken into custody," the representative said.

Antivirus experts do not expect this latest version of Sasser to spread as fast as previous variants. Sasser.E is currently rated a low security threat by antivirus firm Network Associates and rates a "2" on rival Symantec's five-point scale. It is believed to have infected fewer than 100,000 computer systems since its discovery on Saturday night, said Jimmy Kuo, a research fellow with antivirus software maker NAI.

Earlier versions of Sasser received a medium threat rating, with some estimates putting the level of attacks at 500,000 computer systems in the first several days.

Kuo said that additional laws may be necessary to dissuade virus writers from releasing their programs onto the Internet.

"We would hope that there could be laws that would prohibit the posting of malicious code," Kuo said. "Sasser was partially written by some malicious code that was downloaded by the Internet."

This latest version of Sasser attempts to disable Bagle variants by removing the registry keys created by the competing worm. Previous versions of Sasser did not contain this feature.

The Sasser.E code includes this warning to victims of the worm:

1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website
4. This is an message from the SkyNet Team for malicious activity prevention

Sasser.E also creates a remote shell on TCP--Transmission Control Protocol--port 1022, rather than 9995. And it also uses file transfer protocol on TCP port 1023, rather than 5554.



		CNET Reviews Sasser prevention and cure How to guard systems against the worm. Also: Sasser prevention and cure.

One antivirus company, Panda Software, suggested the timing of the attack may indicate an "organized group of delinquents" is creating Sasser, since the company's detection of the latest infection came after the arrest of the 18-year-old in Germany.

"This new variant has not gone as far afield in spreading," said Fernando de la Cuadra, an international technical editor for Panda Software. He suggested that the slow rate of infection is largely a result of the patches users have installed since Sasser was first detected in late April.

See more CNET content tagged:
Sasser worm, variant, worm, TCP, computer virus

Latest tech news headlines

The main problem with Windows Vista
Posted in Defensive Computing by Michael Horowitz

September 6, 2008 7:50 PM PDT
Google-focused satellite enters orbit
Posted in News - Digital Media by Jonathan Skillings

September 6, 2008 7:33 PM PDT
In NFL deal, an extra point for Adobe's Flash
Posted in News - Digital Media by Jonathan Skillings

September 6, 2008 6:40 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Coop's Corner
Chris Shipley 1, Internet lynch mob 0
Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
Google-focused satellite enters orbit
The search titan has exclusive rights among online mapping sites to images from the new GeoEye-1 satellite, which launched Saturday.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Webware
At the TechCrunch50, an unfair advantage?
Inside baseball: How Webware and other blogs can compete with TechCrunch in covering the TechCrunch50 event.
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.