The latest variant, Sasser.E, was released a week ago, according to Microsoft. It attempts to warn people whose computers are vulnerable that their systems have not been patched for a widespread Microsoft Windows vulnerability exploited by the program.
"It appears that whoever released it is trying to notify people that their systems are vulnerable," said Oliver Friedrichs, a senior manager in Symantec's security response centre. The security company first captured a copy of the worm at 1 a.m. (PST) on Sunday, but Friedrichs said the spread of the infection is moving slow enough to indicate that the worm could have been released earlier in the week.
German authorities arrested an 18-year-old resident of Waffensen, a small town in the Lower Saxony region of Germany, late on Friday, according to Microsoft, which tipped off authorities after informants came forward with details about the suspected Sasser author. German law enforcement forces believe that the suspect also coded all 28 versions of the mass-mailing computer virus NetSky.
While antivirus experts are not certain whether Sasser.E started spreading before or after the arrest, Microsoft believes that the fifth version of the worm was released four days before the teenager was arrested, according to a representative of the software giant.
"Microsoft's technical analysis of this variant indicates that the E variant was released on Monday, four days prior to the suspect being taken into custody," the representative said.
Antivirus experts do not expect this latest version of Sasser to spread as fast as previous variants. Sasser.E is currently rated a low security threat by antivirus firm Network Associates and rates a "2" on rival Symantec's five-point scale. It is believed to have infected fewer than 100,000 computer systems since its discovery on Saturday night, said Jimmy Kuo, a research fellow with antivirus software maker NAI.
Earlier versions of Sasser received a medium threat rating, with some estimates putting the level of attacks at 500,000 computer systems in the first several days.
Kuo said that additional laws may be necessary to dissuade virus writers from releasing their programs onto the Internet.
"We would hope that there could be laws that would prohibit the posting of malicious code," Kuo said. "Sasser was partially written by some malicious code that was downloaded by the Internet."
This latest version of Sasser attempts to disable Bagle variants by removing the registry keys created by the competing worm. Previous versions of Sasser did not contain this feature.
The Sasser.E code includes this warning to victims of the worm:
- 1. Your computer is affected by the MS04-011 vulnerability
- 2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
- 3. Please update your computer with the MS04-011 LSASS patch from the www.microsoft.com website
- 4. This is an message from the SkyNet Team for malicious activity prevention
Sasser.E also creates a remote shell on TCP -- Transmission Control Protocol -- port 1022, rather than 9995. And it also uses file transfer protocol on TCP port 1023, rather than 5554.
One antivirus company, Panda Software, suggested the timing of the attack may indicate an "organised group of delinquents" is creating Sasser, since the company's detection of the latest infection came after the arrest of the 18-year-old in Germany.
"This new variant has not gone as far afield in spreading," said Fernando de la Cuadra, an international technical editor for Panda Software. He suggested that the slow rate of infection is largely a result of the patches that users have installed since Sasser was first detected in late April.
Talkback
It cost me $65 to fix Sasser and Gaobot and three days of computer down time. I use it for my business and I'm really put out.
How does one or a million attakees go after these vermin to pursue a civil judgement for compensation for costs and pain and suffering? Is there an attorney out there who would be willing to start such a probe to represent us users (losers) who would like to see these little bastards made to pay up as well as go to jail?
keeping your windows updated and norton up to date costs you nothing with no down time
I agree, update virus defanitions and proper procations will mean you are not at risk. As a business soluions consultant for a large IT company, I deal with business day in day out who refuse to seek adequate support for there IT unil after a problem arises, and when one does they complain. It's not simply enough to lay ignorant to the fact that there is viruses out there then expect compensation when you are hit by on.
Maybe we're not all as smart as you james...
haha. if you dont secure ur box then ppl will do all sorts of things. secure ur shit. then cry if u get owned.