Sasser

[Jim Roper]

Switched on tonight and on my home page, BBC News, there is something about the Sasser virus.

I upgraded NAV but the list of virus defintions does not mention the latest version, Sassre.D, that the beeb are talking about. The Symantec site does not mention it either. I don't think I'll download any Email today, assuming that's how it is travelling about.

[Newt]

Jim - this one is similar to the Blaster worm in that you do not need to do anything like opening email to be infected.

 

It is out there and scanning for unprotected systems and when if finds one, infection follows within seconds.

 

MS04-011 security patch will stop it regardless of how current your virus files are - and will stop all the variations since it patches the weak spot this particular worm exploits.

 

Go Here and you will want at least MS04-011, 012, 013, 014 security patches loaded on your system if you have an OS that needs them. Just check the links on the page and read about each of the 011-014 patches.

 

[ 04. May 2004, 09:01 PM: Message edited by: Newt ]

[Jim Roper]

Thanks Newt, my posting secured the desired response as usual.

The beeb site says that broadband users will be the next target of Sasser. Does that mean that it only infects through modems? I doubt it!

[Newt]

Any sort of internet connection suits this particular critter.

 

I added a bit to the first post with links.

[Jim Roper]

I did the update scan but it came back that there was nothing critical.

I've downloaded the rest of the updates and hope they are installed before I have to go to work!

 

Can I disconnect from the web and leave it to install on it's own?

 

[ 04. May 2004, 09:18 PM: Message edited by: Jim Roper ]

[nursejudy]

Though this might be of interest.

From The Times online today.

May 04, 2004

 

Coastguard offices hit by Sasser internet worm

BY AGENCIES

 

 

 

The Coastguard's computer network has been hit by the Sasser worm, which experts suggest will affect up to 18 million computers worldwide.

 

 

 

The worm struck in the early hours of this morning, paralysing computers across the Coastguard's maritime rescue, co-ordination and sector centres.

 

The worm, however, is not affecting rescue services, which mostly use radio for communication.

 

The Coastguard is one of the biggest casualties in the UK. First detected over the weekend, the worm has already infected and estimated one million PCs and knocked out computer systems at banks, transport reservation systems and at European Commission offices.

 

Three major companies yesterday admitted they had been affected - Delta Airlines in the United States and a bank and rail operating company in Australia.

 

Millions more computers are expected to be struck today as workers return from the May Day bank holiday and log on at work. Small and medium-sized businesses are said to be particularly at risk.

 

"It's still going steady. It will be a big problem for a day or two, then it will linger on the internet for weeks, and likely years," said Mikko Hypponen, Anti-Virus Research Director at Finnish data security firm F-Secure.

 

The anti-virus company Panda Software says that it believes that slightly more than 3 per cent of the world's computers, around 18 million out of the estimated 600 million operating worldwide, are infected by Sasser.

 

"Compared to other worms which have appeared on weekends when activity is low, doubly so now that May 1 is a holiday in many countries, this one has positioned itself as one of the quickest-spreading and most virulent," said Luis Corrons of PandaLabs, which has offices in Spain and the United States.

 

Sasser is believed to have originated in Russia. It was first detected last week and began spreading rapidly at the weekend.

 

Unlike a virus, Sasser does not travel through e-mails or attachments. It can spread by itself to any unprotected computer within ten minutes of logging on to the internet.

 

It attacks through recent versions of Microsoft's Windows - Windows 2000, Windows Server 2003 and Windows XP - and causes error messages to appear, and the computer to crash and reboot repeatedly. It appears to do no lasting damage.

 

Although some experts said it could only be picked up from "off the beaten track" websites, such as pornographic sites, or sites where you could illegally download software, others said computers could become infected just by logging on.

 

Graham Cluley, a senior technical consultant at the anti-virus firm Sophos, said: "You can get it just by connecting to the internet, you don't have to open an e-mail or go to a dodgy website.

 

"If you don't have a firewall in place there is a good chance chance you will be hit."

 

The Australian bank Westac has admitted it was hit by the worm, and branches had to use pen and paper to allow them to keep trading, The Australian newspaper reported.

 

Australia's New South Wales trains authority, Rail Corp, may also have been affected. Train traffic was disrupted on Sunday when drivers were prevented from talking to rail traffic controllers, stranding 300,000 passengers on their platforms.

 

Delta Airlines said that it experienced technical glitches on May 1 which forced it to cancel a number of flights.

 

Since laptops are not protected by company firewall systems if used on a server other than the company's, they run the risk of being infected and in turn infect the company's network when used in the office.

 

Mr Cluley added that an e-mail had also emerged which appeared to be from an anti-virus company and warned people they had been infected with the Sasser worm, but if people opened the attachment their computer would be attacked by a new virus.

 

Mark Grady, of IT consultancy Intraliant, said large companies were unlikely to be affected by the Sasser worm as their firewalls would keep it out and they would have regularly up-dated anti-virus software.

 

But he added: "Small to medium size businesses are more at risk. These are the people who should be checking their machines."

 

A security patch to protect computers from the virus can be downloaded from Microsoft's website.

 

[ 04. May 2004, 10:32 PM: Message edited by: nursejudy ]

[Newt]

Jim - if you downloaded them you can certainly disconnect and let them load.

[Jim Roper]

Newt, I was installing the updates and when I tried to close the Microsoft page before disconnecting, I got a message that installation would stop if I closed the page. I had to get to work so I had to stop it. I disabled the network connection(broadband) and left the machine running.

I have just gone through it again and finished the job.

I have just got a firewall warning that something called Com Surrogate is trying to contact a remote source on the internet via DLLHOST.exe.

I think I've used Zone Alarm to block it!

 

[ 05. May 2004, 09:00 AM: Message edited by: Jim Roper ]

[Peter Sharpe]

My computer at work started to crash continually yesterday, sometimes re-booting successfully, but at other times telling me that it was unable to re-boot from the preferred system checkpoint. At other times, the screen blacked out immediately and the pc went into some sort of hibernation mode for a quarter of an hour or more. No virus was found. Could this just be some kind of overheating problem?

[Newt]

Could be hardware but could also be a critter or two that your AV scan missed.

 

Try an online scan. Any of the ones Here should do fine.