Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Sasser Worm Infects Thousands of Computers Worldwide
Bloomberg ^ | May 3, 2004

Posted on 05/03/2004 8:30:21 AM PDT by FourPeas

Edited on 07/19/2004 2:14:00 PM PDT by Jim Robinson. [history]

May 3 (Bloomberg) -- A computer worm called Sasser may have infected hundreds of thousands of computers through the Internet and is still spreading, possibly disrupting business today, a security software expert said.

The worm, which is different than a virus because it doesn't need to be attached to an e-mail to spread, causes a computer to shut down and then reboot several times, apparently without causing any permanent damage, said Mikko Hyppoenen, director of virus research with Helsinki-based F-Secure Oyj. The worm was detected Saturday at 4 a.m. Finnish time, he said.


(Excerpt) Read more at quote.bloomberg.com ...


TOPICS: Business/Economy; Crime/Corruption; Culture/Society; Front Page News; News/Current Events
KEYWORDS: lowqualitycrap; microsoft; sasser; windows; worm
Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 101-116 next last
To: Snowy
You laugh, but I just ducked a call from my mother. Sigh... ;)
41 posted on 05/03/2004 9:46:45 AM PDT by general_re (Drive offensively - the life you save may be your own.)
[ Post Reply | Private Reply | To 40 | View Replies]

To: Billthedrill
You must download the software patch from the Microsoft website. SASSER shuts down your computer soon after getting on the internet, and doesn't give you enough time to download the patch. Anyone have any ideas on how to get around this? I caught this SOB Friday afternoon 4/30/04.
42 posted on 05/03/2004 9:47:15 AM PDT by meanman
[ Post Reply | Private Reply | To 16 | View Replies]

To: Billthedrill
Thanks for the Tool. :)

"Personally, I'd hold out for champagne..."

LOL Which one?

43 posted on 05/03/2004 9:47:57 AM PDT by IamHD
[ Post Reply | Private Reply | To 39 | View Replies]

To: Billthedrill
I switched over to one of my linux servers to work this weekend and today Im on macOSx.3. All my windows boxes are off the net and powered down. Ill watch and wait to see what happens :o)
44 posted on 05/03/2004 9:49:38 AM PDT by ezo4
[ Post Reply | Private Reply | To 39 | View Replies]

To: Snowy
LOL. That's the truth. Don't forget to pull the shades, too.
45 posted on 05/03/2004 9:50:56 AM PDT by FourPeas
[ Post Reply | Private Reply | To 40 | View Replies]

To: IamHD
If your daughter has broadband the first thing is to unplug her computer from the internet. Then I would remove the virus from the registry.

After that I would at least install a software firewall such as zonealarm.
46 posted on 05/03/2004 9:51:47 AM PDT by ParityErr
[ Post Reply | Private Reply | To 36 | View Replies]

To: meanman
Try that tool in post 39 - if you can't get it in time, you may have to download it to another box and cut it over to a floppy (it's only 149KB) or a CD.
47 posted on 05/03/2004 9:54:05 AM PDT by Billthedrill
[ Post Reply | Private Reply | To 42 | View Replies]

To: Snowy
"All of the 'family computer experts' take cover! Unplug your phones! Lock your doors!"


48 posted on 05/03/2004 9:55:01 AM PDT by IamHD
[ Post Reply | Private Reply | To 40 | View Replies]

To: Billthedrill
To download the tool, it says this:

Note: "You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP."

What does this mean?

49 posted on 05/03/2004 10:03:57 AM PDT by IamHD
[ Post Reply | Private Reply | To 47 | View Replies]

To: Billthedrill
Bookmark
50 posted on 05/03/2004 10:04:46 AM PDT by varina davis
[ Post Reply | Private Reply | To 16 | View Replies]

To: general_re
Block inbound traffic on TCP port 445.

We are doing so from the Internet, but we have more than a thousand outside PC's that connect via RAS or VPN, and they tend to be the weak link in our security. We've blocked 445 at our inbound RAS and VPN concentrators, but it only takes one person inadvertently moving an infected payload on an alternate port, or one variant to switch the port before we can react, and we're infected (updating the concentrator to block certain ports temporarily boots all of the connections while the rules are being updated...booting 1000+ users off the network isn't something that can be done quickly or lightly).

So far, everything looks clean. Our operations guys are actively scanning our network and haven't yet spotted any signs of the virus. Our firewall logs, however, have been showing a pretty dramatic increase in the number of blocked 455 connection attempts since 5AM this morning.
51 posted on 05/03/2004 10:06:14 AM PDT by Arthalion
[ Post Reply | Private Reply | To 29 | View Replies]

To: IamHD
Note: "You must have administrative rights to run this tool on Windows NT 4.0, Windows 2000, or Windows XP."

It means that you are not an administrator to the machine. Is there someone else who uses that machine who is an admin?

52 posted on 05/03/2004 10:08:18 AM PDT by Snowy (Microsoft: "You've got questions? We've got dancing paperclips.")
[ Post Reply | Private Reply | To 49 | View Replies]

To: FourPeas
Got slamed by it. Bump to let all Freepers know about it.
53 posted on 05/03/2004 10:08:51 AM PDT by tort_feasor ( anti-Semitism is not a lifestyle choice)
[ Post Reply | Private Reply | To 1 | View Replies]

To: All
From Reuters:

Sasser Worm Strikes Countless PCs Worldwide

By Brett Young

HELSINKI, Finland (Reuters) - The fast-spreading "Sasser" computer worm has infected hundreds of thousands of PCs globally and the number could rise sharply, a top computer security official said on Monday.

"If you take a normal Windows PC and connect to the Internet, you will be infected in 10 minutes (without protection)," Mikko Hypponen, Anti-Virus research director at Finnish data security firm F-Secure (FSC1V.HE: Quote, Profile, Research) , told Reuters.

"It seems to be gradually getting worse, but it could jump as the U.S. wakes up," he said.

F-Secure says the worm, which surfaced over the weekend, automatically spreads via the Internet to computers using the Microsoft (MSFT.O: Quote, Profile, Research) Windows operating system, especially Windows 2000 and XP.

The spread of the virus has been muted so far, Hypponen said, as it emerged on a weekend, and with holidays closing offices in places like the United Kingdom and Japan on Monday.

But the spread was expected to worsen as the work week hits its stride, Hypponen said, adding he believes the worm originated in Russia.

It was not immediately known what impact the worm was having on computer networks of U.S. companies as they started the business day.

U.S. carrier Delta Air Lines (DAL.N: Quote, Profile, Research) suffered a computer glitch on Saturday that caused delays and cancellations of certain flights across its system, but a spokesman said there was no information yet as to the cause.

A Microsoft representative was not immediately available for comment, but said in a statement that customers could protect themselves by erecting personal firewalls that separate internal networks from public networks, and by downloading Microsoft security patches.

The company also said it was working with law enforcement officials, including the Northwest CyberCrime Taskforce, to analyze the worm and to identify those responsible for it.

Finnish bancassurer Sampo (SAMAS.HE: Quote, Profile, Research) temporarily closed all of its 130 branch offices on Monday as a precaution.

In Australia, Westpac Bank (WBC.AX: Quote, Profile, Research) said it was hit by the worm, and branches had to use pen and paper to allow them to keep trading, The Australian newspaper (http://www.theaustralian.news.com) reported.
"With Sasser it seems that companies are (using software) patches better and more quickly than last year (with virus "Blaster"), but for those that are hit, they are hit hard," Hypponen said.

Blaster infected computers around the globe last year.

NO NEED TO CLICK

The current worm does not need to be activated by double-clicking on an attachment, and can strike even if no one is using the PC at the time. When a machine is infected, error messages may appear and the computer may reboot repeatedly.

"Compared to what happened with Blaster ... last August ... this virus has all the same features," Hypponen said, noting that both worms exploited relatively new holes in Windows and frequently caused computers to reboot.

Microsoft said Blaster cost it "millions of dollars of damages," and has issued a $250,000 bounty for information on the whereabouts of its author.

F-Secure said corporate networks should be protected against Sasser and its variants by firewalls -- Internet road blocks that separate internal from public networks.

F-Secure said the worm emerged 18 days after Microsoft posted a corrective-code software patch on its Web site. This continues a common pattern with viruses whereby companies announce flaws in their software and hackers race to exploit them.

For home computer users, people should make sure they have downloaded the patch from Microsoft to fix the breach. If their computer is infected, it must first be downloaded before the virus is removed or else the PC could catch the worm again.

Hypponen said he was not sure there was a better way for companies to alert users to software problems.

"There are always going to be security holes in mainstream products," he said. "Even if these are not made public, the bad boys will find out about them anyway."





54 posted on 05/03/2004 10:10:50 AM PDT by FourPeas
[ Post Reply | Private Reply | To 1 | View Replies]

To: Snowy
No, it's my daughter's personal computer that she uses at work. There is no network, and she is the only one that uses it. I suppose this means that I will have to manually remove this thing. She got the variant, Sasser B. I will expect a nice dinner from her, 'cause it's gonna take a while to get rid of it. lol
55 posted on 05/03/2004 10:12:14 AM PDT by IamHD
[ Post Reply | Private Reply | To 52 | View Replies]

To: FourPeas
Source: http://www.reuters.com/newsArticle.jhtml;jsessionid=BYADTG24BDCMCCRBAEKSFEY?type=topNews&storyID=5017896&pageNumber=1
56 posted on 05/03/2004 10:12:30 AM PDT by FourPeas
[ Post Reply | Private Reply | To 54 | View Replies]

To: IamHD
Oh, ugh. When you (or whoever) installed the OS on the box you're taking it to, an account was set up with administrative authority on that box and a password put in. If your user account doesn't have administrative authority (i.e. can alter the registry and write to system areas) then you'll have to log in using the local administrator account.

If it's an ordinary, run-of-the-mill workstation, the local user probably does have admin authority - try a blank password if it prompts you. If not, whoever built the box will have to let you know how they configured it. Sorry.

57 posted on 05/03/2004 10:14:14 AM PDT by Billthedrill
[ Post Reply | Private Reply | To 49 | View Replies]

To: FourtySeven
Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.


Attempts to connect to randomly-generated IP addresses on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996. The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554 and retrieve a copy of the worm. This copy will have a name consisting of 4 or 5 digits followed by _up.exe (eg 74354_up.exe).

The IP addresses generated by the worm are distributed as follows:
50% are completely random
25% have the same first octet as the IP address of the infected host
25% have the same first and second octet as the IP address of the infected host.

The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.


http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

58 posted on 05/03/2004 10:15:12 AM PDT by CyberCowboy777 (Veritas vos liberabit)
[ Post Reply | Private Reply | To 13 | View Replies]

To: FourtySeven
It happens in the background as part of the communications that goes on through the network.
59 posted on 05/03/2004 10:15:22 AM PDT by FourPeas
[ Post Reply | Private Reply | To 13 | View Replies]

To: IamHD
Oh, I see you already know that. Never mind... ;-)
60 posted on 05/03/2004 10:15:53 AM PDT by Billthedrill
[ Post Reply | Private Reply | To 55 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-4041-6061-80 ... 101-116 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson