Sasser worms could affect 300 million computers worldwide
 05/03/2004. - Sasser.C is the latest of the new variants of the worm that continue to appear and all indications are that it is the most virulent
- As companies return to work after the weekend, the number of infections could dramatically increase
- Given the seriousness of the situation, Panda Software has raised the virus alert status to red
- The creators of the new Netsky.AC worm -detected a few hours ago- have claimed responsibility for Sasser
- To ensure they are protected, users should install the Microsoft patch that corrects the vulnerability exploited by Sasser
The number of computers affected by the Sasser worm continues to rise, and the situation looks set to worsen as companies return to work after the weekend. Luis Corrons, head of PandaLabs warns of the threat, “Bear in mind that some 300 million computers worldwide are vulnerable to attack by the Sasser worm, which gives an idea of the potential scale of the threat. New variants are also likely to emerge and for this reason, even though we launched a pre-alert at the weekend, we have now declared a red alert.”
 
The Sasser worms are particularly dangerous for corporate environments as they can spread across networks in a matter of seconds. Both the French Stock Exchange and the France Presse news agency have fallen victim to this new malicious code and their communications were affected on Saturday.
 
The situation appears to be even more serious as the creators of the worm are coordinating the continuous launch of new variants in order to increase the probability of infection. PandaLabs has now detected the presence of Sasser.C, which can launch up to 1024 process in memory, making it potentially far more virulent than its predecessors.
 
The appearance of the new Sasser worms is seemingly directly linked to the wave of viruses blighting the Internet over the last few months. PandaLabs has also detected the new Netsky.AC worm, which like its predecessors contains a message hidden inside its code. On this occasion however, there are no insulting messages to the authors of other worms such as Bagle or Mydoom, but instead a message directed at antivirus vendors. The message claims that the authors are also responsible for the Sasser worms:
 
Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet...'
 
Here is an part of the sasser sourcecode you named so, lol
 
Given the serious nature of the situation, Panda Software has made its PQRemove utility available, free of charge, to all users to detect and eliminate the viruses. Click here to access the tool.
 
Panda Software informs users that the new worm can be detected and disinfected with an up-to-date antivirus, but it is important to install the Microsoft patch to ensure that Sasser.A doesn’t re-infect computers. The vulnerability exploited by this worm was reported by Microsoft recently in bulletin MS04-011, along with the patch. Panda Software has made the updates necessary to its products available to clients.
 
More information about these and other IT threats is available from: http://www.pandasoftware.com/virus_info/encyclopedia/

Effects  
 
Sasser.D restarts the computer when it attempts to affect it by exploiting the LSASS vulnerability. When this action is carried out, Sasser.D displays the following message on screen:
 
Infection strategy  
 
Sasser.D creates the following files:
 
    *
      SKYNETAVE.EXE in the Windows directory. This file is a copy of the worm.
    *
      WIN2.LOG in the root directory of the C: drive. This file contains the IP address of the affected computer.
 
Sasser.D creates the following entry in the Windows Registry:
 
    *
      HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
      skynetave.exe = %windir%\skynetave.exe
      where %windir% is the Windows directory.
      By creating this entry, Sasser.D ensures it is run whenever Windows is started.
 
Means of transmission  
 
Sasser.D spreads via the Internet, by attacking remote computers. In order to do so, it carries out the routine below:
 
    *
      Sasser.D searches for random IP addresses.
    *
      It attempts to connect to those IP addresses through the TCP port 445.
    *
      If successful, it checks if the remote computer contains the LSASS vulnerability.
    *
      If so, Sasser.D opens a shell in the TCP port 9996, with which it sends several commands through the TCP port 5554. Sasser.D downloads itself through the TCP port 5554 to the vulnerable computer via FTP.
    *
      The downloaded copy has a variable name %number%_UP.EXE, where %number% is a random number.
 
When Sasser.D exploits the LSASS vulnerability, it launches a Buffer Overrun in the program LSASS.EXE, thus restarting the computer.
 
Further Details  
 
Sasser.D is written in programming language Visual C++. This worm is 16,384 bytes in size and it is compressed with PE-Compact.

NINOH a écrit :
 
Le premier qui me donne le nom d'un antivirus gratuit qui a été mis à jour contre Sasser dès aujourd'hui gagne.......... ma gratitude.  
 
les antivirus gratuits des éditeurs d'AV payants  

W32.Sasser.D.Worm can run on (but not infect) Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable systems that they are able to connect to. In this case, the worm will waste a lot of resources so that programs cannot run properly.